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Abstract 

Concurrent Timestamp Systems (ctss) allow processes to temporally order concurrent events 
in an asynchronous shared memory system. Bounded memory constructions of a CTSS are 
extremely powerful tools for concurrency control, and are the basis for solutions to many co- 
ordination problems including mutual exclusion, randomized consensus, and multiwriter multi- 
reader atomic registers. Unfortunately, known bounded CTSS constructions seem to be complex 
from the algorithmic point of view. Because of the importance of bounded CTSS, the rather 
involved original construction by Dolev and Shavit was followed by a series of papers that tried 
to provide more easily verifiable ctss constructions. 

In this paper, we present what we believe is the simplest, most modular, and most easily 
proven bounded CTSS algorithm known to date. The algorithm is constructed and its correctness 
proven by carefully reasoned use of several tools. Our algorithm combines the labeling method 
of the Dolev- Shavit CTSS with the atomic snapshot algorithm proposed in Afek et. al, in 
a way that limits the number of interleavings that can occur. To facilitate our correctness 
proof, we introduce a specially tailored intermediate CTSS specification using unbounded label 
values taken from the positive reals. Our correctness proof first shows that the real-number 
based specification meets the CTSS axioms. Using the forward simulation techniques of the 
I/O Automata model, we then show that our bounded algorithm implements the real-number 
based specification. Finally, we prove that any CTSS that meets the CTSS axioms can be used 
to implement multireader multiwriter atomic registers and first-some-first-serve (fcfs) mutual 
exclusion. 
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1 Introduction 

The paradigm of concurrent timestamping is at the heart of solutions to some of the most fun- 
damental problems in multiprocessor concurrency control. Examples of such problems include 
fcfs mutual exclusion [19], construction of a multireader multiwriter atomic register[34], and 
randomized consensus [8]. A simple bounded construction of a CTSS implies simple bounded 
solutions to most of these extensively researched problems. 

A timestamp system is somewhat like a ticket machine at an ice cream parlor. People's 
requests to buy the ice cream are timestamped based on a numbered ticket (label) taken from 
the machine. Any person, in order to know in what order the requests will be served, can 
scan through all the labels and establish the total order among them. A concurrent timestamp 
system (ctss) is a timestamp system in which any process can either take a new ticket or scan 
the existing tickets simultaneously with other processes. Furthermore, a CTSS is waitfree, which 
means that a process is guaranteed to finish any of the two above mentioned tasks in a finite 
number of steps, even if other processes experience stopping failures. Waitfree algorithms are 
highly suited for fault tolerant and realtime applications (see [16]). 

Israeli and Li, in [17], were the first to isolate the notion of bounded timestamping (time- 
stamping using bounded size memory) as an independent concept, developing an elegant theory 
of bounded sequential timestamp systems. Sequential timestamp systems prohibit concurrent 
operations. This work was continued in several interesting papers on sequential systems with 
weaker ordering requirements by Li and Vitanyi [26], Cori and Sopena [9] and Saks and Za- 
haroglou [35]. Dolev and Shavit [11] were the first to define and construct a bounded concurrent 
timestamp system. However, to quote [12]: "Their algorithm is ingenious but its proof is long 
and involved." 

Because of the importance of the bounded concurrent timestamping problem, the original 
solution by Dolev and Shavit has been followed by a series of papers directed at providing a 
simpler bounded ctss algorithm. Israeli and Pinchasov [18] have simplified the [11] algorithm 
and its proof by modifying the labeling scheme of [11], introducing a new label scanning method, 
and simplifying the ordering-of-events based formal proof [23] by reasoning about global states 
(However, it still takes over 40 pages...). Dwork and Waarts [12] have taken a totally different 
approach, by having their bounded construction simulate a new and simpler type of unbounded 



CTSS construction in which processes choose from "local pools" of label values instead of a 
"global pool" as in [11, 18]. However, in order to bound the number of possible label values 
in the local pools, they are forced to introduce a form of amortized garbage collection. This 
greatly complicates their algorithm. (Their algorithm only has an informal operational proof.) 
In this paper, we present a novel bounded algorithm that we believe is the simplest, most 
modular, and most easily proven CTSS algorithm known to date. Our basic approach is to 
decompose the problem into several distinct pieces. 

• We base our algorithm on the atomic snapshot primitive introduced by Afek et. al [1] 
(we use it as a black box). This primitive is waitfree and allows a process to collect an 
"instantaneous" view of an array of shared registers. [1] gives an implementation of this 
primitive from atomic single writer multireader registers. By using a snapshot primitive, 
we limit the number of interleavings that can occur. 

• The labeling operation, the operation of choosing a new label given a set of older ones, is 
very complex in all former algorithms. Based on the snapshot operation, we introduce a 
much simplified version of the labeling algorithm of [11]. 

• Proving that the bounded algorithm satisfies the CTSS specification has in the past led 
to long and involved inductive arguments. We overcome this problem by introducing a 
CTSS specification, that uses label values taken from the unbounded positive reals. Our 
correctness proof first shows that the real-number based specification meets the ctss 
axioms of [11]. Using the forward simulation techniques of the I/O Automata model, we 
then show that our bounded algorithm implements the real-number based specification. 
(See [30] for references and a discussion of forward simulation techniques.) 

The most efficient bounded ctss implementations [12, 18] require 0(n) time per operation. 
Though one might think that a high price in complexity must be paid for our algorithm's 
modularity and ease of proof, this is not the case. The size of the labels is 0(n), and the time 
complexity of our algorithm is just that of the underlying atomic snapshot algorithm. The 
snapshot implementation of [3] requires 0(n.y/n) single writer multireader register operations 
per snapshot operation. Hence the complexity of our algorithm is 0(ny/n) for each operation. 



The final section of this paper considers some applications of the ctss primitive. We present 
specific algorithms for fcfs mutual exclusion and multireader multiwriter atomic registers and 
prove that any CTSS can be used as a primitive in these algorithms. 

2 I/O Automata Model 

We present our algorithm in the context of the I/O Automata model. This model, introduced 
by Lynch and Tuttle [29], represents algorithms as I/O Automata which are characterized by 
states, initial states, a set of actions called an action signature, state transitions called steps and 
an equivalence relation on some of the actions of the action signature called a partition. For 
a I/O Automaton A its five components are denoted by states(A), start(A), sig(A), steps(A), 
and part(A) respectively. 

A step that results from an action is denoted by (s, it, s') where s is the original state, ir is the 
action, and s' is the new state. If an action can be executed in a state s, it is said to be enabledin 
s. If an action is not enabled in state s, it is said to be disabled in s. Actions are classified into 
external actions, ext(A), those visible to user of the algorithm, and internal actions, int(A), 
which are not visible to the user. External actions are further classified into input actions, 
in(A), which are under the control of the user of the algorithm, and output actions, out(A), 
which are under the control of the algorithm. By definition input actions are enabled in all 
states. For an I/O Automaton A the tuple consisting of in(A) and out(A) is called A's external 
action signature, exsig(A). We now give a more precise definition for some of the elements of 
an I/O Automaton. Specifically, for an I/O Automaton A, sig(A) = (in(A),out(A),int(A)). 
Furthermore, part(A) defines an equivalence relation on the set of internal actions and output 
actions of A. Finally, we define acts(A) — in{A) U out(A) U int(A). 

An execution of an I/O Automaton is an alternating sequence of states and actions that 
could be produced if the algorithm is executed starting from an initial state. A state is called 
reachable is it is the final state of some execution. A fair execution, a, of infinite length is one 
in which for all C G part(A), if some action from C (not necessarily always the same action) 
is continuously enabled, a contains infinitely many actions from C. A fair execution of finite 
length is one in which for all C 6 part (A) no actions of C are enabled in the final state. A 
schedule, sched(a), is the projection of an execution a onto the actions of the I/O Automaton. 



A fair schedule, fairsched(a), is the projection of a fair execution a on the actions of the I/O 
Automaton. A behavior, beh(a), is the projection of an execution a onto the external actions of 
the I/O Automaton. A fair behavior, fairbeh(a), is the projection of a fair execution a on the 
external actions of the I/O Automaton. The set of all possible behaviors of an I/O Automaton 
A is called behs(A). The set of all possible fair behaviors of an I/O Automaton A is called 
fairbehs(A). 

In order to build complex I/O Automata from simple ones, the I/O Automata model defines 
the concept of composition. Composed I/O Automata interact using input and output actions 
that have the same name. Specifically, assume A and B are two composed I/O Automata. Let 
ACT be an output action of A and an input action of B. If A executes act this triggers the 
execution of ACT for B. In order to compose a set of I/O Automata, we must place certain 
restrictions on the action names the I/O Automata. Specifically, we require that none of the 
I/O Automata share any output actions, the internal actions of each I/O Automaton are not 
elements of the action sets of any other I/O Automaton, and no action can an element of the 
action sets of infinitely many I/O Automata (see [29] for a discussion of these restrictions). I/O 
Automata that satisfy these restrictions are said to be strongly compatible. 

Definition 2.1 Let / = {1 . . .n}. A composition A = J\A, of a countable collection of 
strongly compatible I/O Automata {Ai . . . A n } is the I/O Automaton defined as follows 1 : 

• sig(A) = I [j in(Ai) - [J out(Ai), (J out(At), {J int(Ai) j , 

Vie/ iei iei iei I 

• states(A) = Y[states(A { ), 

• start(A) = Y[start(Ai), 

• steps(A) is the set of triples (si,n,s 2 ) such that for all i if x € acts(A), 
then (si[i],7r,s 2 [i]) 6 steps(A) and if tt $ acts(A) then s~ x [i] — s 2 [i]. 

• part(A) = Li i€ ipart(Ai), 



x The Y[ symbol used to define states(A) and start(A) represents the normal Cartesian product. The notation 
s[i] denotes the t"* component of the state vector s. 



We sometimes do not want the actions that constitute the interface between two composed 
I/O Automata to be visible to the environment. Therefore, the I/O Automata Model makes it 
possible to reclassify output actions to be internal actions. Such reclassified actions are said to 
be hidden. 

The I/O Automata model represent a problem specification, P, as an external action sig- 
nature, exsig(P), along with set of allowable behaviors, behs(P), on the actions in exsig(P). 
An I/O Automaton A is said to solve a problem specification P if exsig(A) = exsig(P) and 
fairbehs(A) C behs(P). We say that an I/O Automaton A implements another I/O Automa- 
ton B if the fairbehs(A) C fairbehs(B). Our correctness proof uses the following theorem on 
simulation proofs which is a restricted version of a theorem in [29] . 

Theorem 2.1 Let A and B be I/O Automata with sig(A) = sig(B), part(A) = part{B), and 
R a relation over the states of A and B. Suppose: 

1. If a is an initial state of A, then there exists an initial state b of B such that (a,b) G R. 

2. Suppose a is a reachable state of A and b is a reachable state of B such that (a,b) € R. If 
(a,7r,a') is a step of A then there exists a state b' of B such that (b,n,b') is a step of B 
and (a',b') € R. 

3. If action n is enabled in state b of B and (a, b) £ R then action ir is enabled in state a of 
A. 

Then fairbehs(A) C fairbehs(B). 

The I/O Automata model, while providing efficient techniques for reasoning about the 
correctness of algorithms, is much more general than the shared memory model [23] for which 
our timestamp algorithm is designed. Consequently, we introduce some added structure to the 
I/O Automata model. This section describes the basics needed to understand our correctness 
proof. Section 9 provides a more sophisticated development of shared memory concepts in the 
I/O Automata model. Some of the concepts in this section and most of the concepts in Section 9 
are due to Goldman, Lynch and Yelick [15]. (See [28] for discussion of similar issues.) 

We first introduce a type of interface which will be used to characterize the external action 
signature of I/O Automata and problem specifications for the shared memory model. The 



interface captures the intuitive notion of a set of processes that perform operations on behalf 
of some user. Typically, any process might be able to perform several types of operations. 

Definition 2.2 (operational interface) An operational interface is an external action sig- 
nature S that partitions its actions into disjoint sets called operation types. The set of operation 
types of S is denoted by ops(S). Each operation type consists of at least one input and one 
output action. ■ 

As a short hand, we will sometime use the term operation instead of operation type. Notice 
that an operational interface only describes an external action signature. Hence an operational 
interface can be used to describe both I/O Automata and problem specifications. If we compose 
two I/O Automata which have an operational interface, the set of operation types of the com- 
posed I/O Automaton is the union of the sets of operation types of each of the constituent I/O 
Automata. Again, we must add some restrictions on a set of I/O Automata being composed. 
Assume that we wish to compose I/O Automaton A and I/O Automaton B. We require that 
each action in acts(A) D acts(B) be an element of the same operation type in A and B. Fur- 
thermore, if one action of an operation type of A or B is in acts(A) D acts(B) then all actions 
of that operation type are in acts(A) D acts(B). An operation instance is defined as follows: 

Definition 2.3 (operation instance) Let /? be a behavior of an operational interface. Let a 
be an operation type of the operational interface. An operation instance is the occurrence of 
an input action of a and the first output action of a that follows the input action of a in the 
behavior (3. ■ 

We now introduce a set of notational conventions. Let S be an operational interface. For 
an operation type a £ ops(S) we refer to the input actions of a by iNVOKE(a, v) and the 
output actions of a by RESPONSE(a,r). The symbols v and r are syntactic placeholders for any 
arguments 2 that are used by this operation type. The I/O Automata and problem specifications 
that we consider typically allow several concurrent operations. We model concurrent operations 
with I/O Automata whose operational interfaces are structured as follows. Assume that A is an 



2 Formally, v and r are used to uniquely identify the actions of operation type a. Intuitively, v and r represent 
arguments. The arguments v and r are syntactic placeholders since the I/O Automata Model does not have the 
concept of an argument. Arguments are implemented by having a separate action for each possible argument 
value. 

10 



I/O Automaton with an operational interface that can handle up to n concurrent operations. 
Then for each ie{l...n} there exists a non empty set of operation types Si C ops(exsig(A)). 
Si and Sj are disjoint when i / j. For each operation type a t G 5,- we refer to the input actions 
of a,i by lNVOKE,-(a,-,v) and the output actions of a,- by RESPONSE, (a,, r). Intuitively there is a 
process, p t , associated with all actions whose names include the index i. For the remainder of 
the section, assume that all I/O Automata have an operational interface as described above. 

We now define a set of concepts with which we can characterize the behaviors of I/O Au- 
tomata and problem specifications that have operational interfaces. Let A be an I/O Automaton 
or a problem specification with an operational interface. If /3 is a behavior of A, then /3, is the 
projection of /3 onto the actions that have the index i as part of their name. 

Definition 2.4 (well-formed) Let A be an I/O Automaton or a problem specification with 
an operational interface. A behavior (3 of A is well-formed if, for all /?,-, /3 t consists of an 
alternating sequence of input and output actions, starting with an input action, such that 
each output action is immediately preceded by an input action of the same operation type. 
Specifically, if a, € ops(exsig(A)), each RESPONSE^, r) action is immediately preceded by an 
lNVOKE,(a,-,«) action. ■ 

Definition 2.5 (well-formed-input) Let A be an I/O Automaton or a problem specification 
with an operational interface. A behavior /? of A has a well-formed-input if, for all /?,-, there 
exist no two consecutive input actions. ■ 

Definition 2.6 (well-formed-preserving) Let A be an I/O Automaton or a problem speci- 
fication with an operational interface. Let /? be a behavior of A. f3 is well-formed-preserving if, 
for all prefixes f3' of j3 that have a well-formed-input, j3' is well-formed. ■ 

We say that an I/O Automaton is well-formed-preserving if all of its behaviors are well-formed- 
preserving. Similarly, a problem specification is well-formed-preserving of all of its behaviors are 
well-formed-preserving. In addition to the safety properties described by the well-formedness 
concepts, we require the following liveness property. 

Definition 2.7 (response-live) Let A be an I/O Automaton or a problem specification with 
an operational interface. Let /3 be a well-formed behavior of A. Then /3 is response-live if each 
WVOKEi(ai,v) action is eventually followed by a response,^, r) action. ■ 

11 



We say that an I/O Automaton is response-live if all of its fair behaviors are response- live. 
Similarly, a problem specification is response-live of all of its behaviors are response-live. We 
can now define the following partial order on the operation instances of any well- formed and 
response- live behavior. 

Definition 2.8 ( — ► order) Let (3 be a well-formed and response-live behavior of an I/O 
Automaton or problem specification with an operational interface. Let a, and bj be any two 
operation instances 3 in (3. In general a { and bj can be instances of the same operation type. 
We say that a, — ► bj if and only if in the behavior /? the response,-^, r) action associated 
with ai precedes the INVOKEj(6j, v) action associated with bj. ■ 

The order — ► is the same as the precedes relation of [22, 23]. Since (3 is a well- formed behavior, 
all operations with same index are totally ordered by — ►. 

An important type of I/O Automaton is called an atomic I/O Automaton. Before defining 
an atomic I/O Automaton we introduce the notion of a serial specification [38]. 

Definition 2.9 (serial specification) A serial specification is a set of finite and/or infinite 
sequences of operations. ■ 

Intuitively, a serial specification characterizes a behavior consisting of a set of sequentially 
executed operations. 

Definition 2.10 (atomic I/O Automata) An I/O Automaton A is atomic for a serial spec- 
ification S if A has an operational interface, is well-formed-preserving, and is response-live. 
Furthermore, for any behavior j3 € fairbehs(A) there exists a total order => on the operation 
instances in f3 such that: 

1. => is consistent with — ►. 

2. The sequence consisting of the operation instances in (3 ordered by =>■ is in S. 



3 We sometimes use the same name for operation instances and operation types. The meaning of a name will 
always be clear from context. 
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3 Concurrent Timestamp System 

The following is a formal definition of a CTSS due to Dolev and Shavit [11]. It uses the axiomatic 
specification formalism of Lamport [22, 23]. 

A CTSS is a problem specification with an operational interface. A CTSS that permits n 
concurrent operations has In operation types, specifically LABEL; and scan* for i € {1 . . .n). 
Each of these operation types consists of the following actions: LABEL, consists of the input 
action BEGlNLABEL;(va/,) and the output action ENDLABELj. scan,- consists of the input action 
BEGlNSCANj and the output action ENDSCAN,(o, v). A LABEL,- operation associates a value, val t , 
taken from any domain, V, with a label. In order correctly handle initial conditions the value 
domain V must specify some initial value v . A SCAN,- operation returns a pair (o,v), where 
v = (vx . . ,v n ) is an indexed set of values (one per process), and o is an total order on these 
indexes. 

We now introduce some notation. In a particular behavior /?, L\ denotes the k th instance 
of a LABEL,- operation, and S\^ denotes the k th instance of a SCAN,- operation. Furthermore, 
val\ k ' denotes the value passed to operation L\ . (The superscript [k] is used only for notation, 
and is not visible to the I/O Automaton). We call the superscript [k] an execution number. 
The domain of execution numbers is E = {1, 2, . . .}. Finally, we define a choice function, c, as 
a function mapping {1 . . .n) X E X {1 . . .n} to El) {0}. Intuitively, the choice function provides 
a way to determine which operation wrote a value returned by a SCAN operation. Specifically, 
if c(i,a,k) ^ 0, the value v k returned by operation 5,- was written by the operation £] '"' . 
If c(i,a,k) = 0, then the value v k returned by operation 5,- is the initial value v . 

The set of behaviors of a CTSS, behs(cTSS), is defined as follows: 

Definition 3.1 /? € behs(crss) if and only if: 

1. If (3 has a well-formed-input, then f3 is well- formed. 

2. If (3 has a well-formed-input, then is response-live. 

3. If /3 is well-formed, then there exists a total order =» on the set of all LABEL operations 
and a choice function c such that /3, => and c satisfy axioms P0-P4 given below. 
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Note: if /3 does not have a well-formed-input, then /? can be arbitrary. 

In order to handle initial conditions, we let val} 0] = v for all i, where v is the initial value 
of the value domain V. Recall that execution numbers start with 1. 

PO choice function: For any value v k in v of S/" 1 , v k = val k ' a ' k ' ] where val k = v . 

PI ordering: =>• is a total order on the set of all label operation instances in /?, such that: 

a. precedence: For any pair of LABEL operation instances L[ o] and Ly (where possibly i 

and j are the same index), if L}"' — ► LJ , then L,\ a ' =>• Lj . 

b. consistency: For any scan operation instance S/°' that returns i; and o, if «,-,*>* G w: 

c(i,a,j)>0 and c(i,a,k) > 0: j < fc in o if and only if £J c( ' ,aj)] ==> z| c(!,a ' )] . 

c(i, a,j) = and c(i, a, k) = 0: j < k in o if and only if j < k. 

c(i,a,j) = and c(i,a,k) > 0: j < k in o. 

c(i,a,j) > and c(i,a,k) = 0: fc < j in o. 

The above property implies that there is a unique total ordering on LABEL operation instances 
of all processes, which is a serialization order (part a), and with which all SCAN operations are 
consistent (part b). 

P2 regularity: Let SJ a ' be a scan operation instance. If c(j, a, i) > 0, then SJ a ' -f* L^ ,a ' l) 
and there is no if 1 such that L} eU,a,i)] — ► if 1 — ► 5J a] . If c(j,a,t) = 0, then there exists 
no L\ b] such that l} h] — ► 5/ fl] . 

Though a regular CTSS (having properties P0-P2) would suffice for some applications (for ex- 
ample Lamport's "Bakery Algorithm" [19]), a more powerful concurrent timestamp system is 
needed in applications such as the multireader multiwriter atomic register construction (see 
[24, 34]). To this end the following third and fourth axioms are added: 

P3 monotonicity: Let S} a] return v k = val[ c{i ' a ' k)] and Sf ] return v k = vall <j ' h ' k)] (where 
possibly i = j). Then, S} a] — ► Sf ] and c(i, a, k) ^ c(j, 6, k) imply c(i, a, k) < c(j, b, k). 

Note that c{i,a,k) < c(j,b,k) implies that L [ k c{i ' a ' k)] =^ £p>M)] when c ^ a ,k) > and 
c(j, b, k) > 0. Monotonicity is the property that in a unbounded real number ctss can be 

14 



described by saying that the labels of any one process, as read by increasingly later scan 
operations, are "monotonically non-decreasing." It is important to note that P3 does not 
imply that one can serialize all label and SCAN operation instances. It does however imply the 
serializability of the scan operation instances of all processes relative to the label operation 
instances of any one process [37]. P\ 4 is an extension of part of the regularity property to the 
=> order. The properties P3 and P4 together imply that all SCAN operations that consider 
only the "largest" value, where "largest" is based on the o ordering, can be serialized with 
respect to all LABEL operations. 

P4 =>. regularity: Let s}"^ be a scan operation instance. If c(i,a,k) > 0, then 5, a — > Lj 
implies that L { * {i - a ' k)] =► LJ b] . 

4 An Unbounded Concurrent Timestamp System 

This section introduces a particular implementation of a concurrent time stamp system, uctss, 
that uses timestamps from -ft" 1 ". UCTSS is introduced as an intermediary I/O Automaton whose 
purpose is to simplify the correctness proof of our bounded CTSS. 

The code for the operations of UCTSS is presented in two forms. Figure 1 presents the code 
in the precondition-effect notation commonly used to describe I/O Automata 5 . Figure 2 uses 
psuedocode. We use the precondition-effect notation as the basis for the correctness proof and 
include the compact and intuitive psuedocode only for clarity. 

The system models n processes indexed by {1. . .n}. Each process p, in UCTSS can perform 
a SCAN,- and LABEL, operation. A LABEL,- operation allows process p,- to associate a label 
(timestamp) with a given value. A SCAN,- operation allows process p, to determine the order 
among values based on their associated labels. The function NEWLABEL;, which is used by 
label,- is defined in Figure 3. A SNAP,- operation, which is defined by Afek et al. in [1], 
atomically reads an array of single writer multireader registers. A update,- operation, also 
defined by [1], writes a value to a single register in the array of single writer multireader registers 



4 A more powerful CTSS satisfying P4 is needed in applications such as the multireader multiwriter atomic 
register construction of [24, 34]. P4 is included in the journal version of [11], but is not included in the conference 
version of [11] or in [37]. 

5 BCTSS is the name for our bounded CTSS implementation. The name is included in the caption since the 
code in the figure is shared by BCTSS and UCTSS. BCTSS is introduced in Section 5. 
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Shared State: 








£,-: The current label associated with process pi\ initially 0. 




Vi m . The current value associated with process p,; initially v . 




Local State: 








nti : The new label for p,- 


determined by function MAKELABEL*; initially 0. 




val{-. The new value for p, 


passed to LABEL;; initially v . 




£,-: An array of labels returned by 


SNAP;; initially (0. . .0). 




uj: An array of values returned by 


SNAP;; initially (v ...v ). 




d, : An array of process 


indexes ordered based on the < order; initially (1 . 


..n). 


pcii The non-input action currently enabled; initially NIL. 




opii The current operation; initially, 


' NIL. 




scan,-: 








BEGINSCAN, 


Eff: 


opi <— SCAN,- 

p^ *- SNAPi(ti,Vi) 




SKAPi(ti,Vi) 


Pre: 


p^ = SNAPi(i,-,Ui) 






Eff: 


If opi — SCAN; then 

o, <— the sequence of indexes where 








j appears before k in O; iff (tj,j) <C 


(tk,k) 






pCi <— ENDSCAN,(o,-,U,-) 








If opt = LABEL, then 








nti <— NEWLABELi(^) 








pCi <- UPDATEi((ii,U,-), («<,-, ra/,-)) 




ENDSCAN,-(d,-,V,-) 


Pre: 


pCi = ENDSCAN,(o,-,V,-) 






Eff: 


pc { <— NIL 




LABEL,-: 








BEGINLABEL; 


Eff: 


op, <— LABEL; 

pc, <- SNAP;^,^) 




VPDATEi((ti,Vi),(nti,va 


/,-)) Pre: 


pCi = UPDATEj((ii, w,-),(n<,-, t>a/;)) 






Eff 


pc,- <— ENDLABEL,- 




ENDLABEL,- 


Pre: 


pc, = ENDLABEL,- 






Eff 


pCi <— NIL 





Figure 1: Precondition- Effect code for UCTSS and bctss 
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SCANj 

SNAP,-(*;-,i; t -) 

o, <— the sequence of indexes where j appears before k in o { iff (tj,j) < (<*,&) 

return (o;, v,-) 

LABEL,-(ua/j) 
SNAP,^-,^) 
nf,- *- NEWLABEL,(f,) 
UPDATE,((i,-, Vi), (nti, vali)) 



Figure 2: Psuedocode for UCTSS and bctss 

read by SNAP;. SNAP,- and update,- are waitfree, therefore their use does not compromise the 
waitfree properties of our timestamp algorithm. 



NEWLABEL,(i,) 
II I ^ Irnax 

then return (t max + X) where X is nondeterministically selected from 3? >0 



Figure 3: Code for newlabel,- of uctss 

The state of UCTSS is defined by the shared state and the local state of each of the n process. 
The shared and local state of each process, along with the initial values are defined in Figure 1. 
The state of uctss also has derived variables t max and i max - tmax = max(<i. . .t n ) and i max is 
the largest process index i such that £,- = t max . 

In terms of the I/O Automata model, UCTSS is an I/O Automaton with an operational inter- 
face. UCTSS is a composition of n I/O Automata called p x ,...,p n . Each p t is an I/O Automaton 
with an operational interface that consists of the operation types LABEL, and scan^. The label, 
operation type consists of the input action beginlabel^uo/j) and the output action endlabel,-. 
The operation type scan,- consists of the input action beginscaN; and the output action 
ENDSCAN,-(di,Vi). The internal actions of p, are SNAP,(Z~-, v { ) and update,-((^, v { ), (nti, vali)). 
The set steps(pi) is characterized by the precondition clause in each action. The set part(pi) 
consists of a single equivalence classes d where the elements of d are the actions SNAP;(£,-, «,-), 
endscaNj(o,-,w,-), UPDATE,-((i,-,i; f -),(ra<,-,i;a/,-)), and endlabel ; . The set states(pi) is the set of 
all possible states of p, where each state is defined by the values of the variables of the shared 
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and local state. The set start(pi) is the set consisting of the state denned by the initial values 
of the variables of the shared and local state. 

The shared state is accessed only using the atomic SNAP; and the UPDATE, actions. Since 
SNAP, and UPDATE,- are atomic, each action of uctss is atomic. Notice that the SNAP,- action 
makes references to the elements of the vector ii indirectly through the use of i max and t max and 
in order to calculate o,. Since SNAP, is atomic, the labels in t { are the same as the corresponding 
labels in the shared state. In other words, t {j = tj during the action. Consequently, we refer 
directly to the shared variables i max , t max , and t t rather than their copies ii mai , 2, m ,, x , and t it 
when analyzing the snap; action. 

UCTSS uses labels that are non-negative real numbers. The ordering between labels is the 
usual < order of &+. The ordering < used in the ORDER, action is a lexicographical order 
between label and process index pairs. 

Definition 4.1 (< order) (£, i) < (t h j) iff l { < £, or l t = tj and i < j. ■ 

We now prove some characteristics of < that will be used to prove that uctss solves CTSS. 
First consider the following notation: t}"^ is the label written as a consequence of the L { a 
operation. When a — 0, then f/°' is equal to the initial value for labels, which for UCTSS is 0. 
///(update) refers to the UPDATE, action executed as a consequence of the L}"' operation and 
X|"'(snap) refers to the SNAP,- action executed as a consequence of the 2,/ operation. Similarly, 
^"'(snap) refers to the SNAP; action executed as a consequence of the 5, W operation. The snap 
and update actions model two atomic operations. In the usual model for atomic operations 
[23], each operation is separated into a request (input) action and a response (output) action, 
concurrent operations executions are allowed, and it is assumed that every request eventually 
terminates in a matching response, in such a way as to produce the illusion of instantaneous 
operations. Consequently, we model SNAP and UPDATE as single actions rather than separate 
input and output actions. We present a formal justification for treating SNAP and UPDATE 
operations as single actions rather than separate input and output actions in Section 9. Since 
SNAP and UPDATE are single actions, there exists a total order on all SNAP and update actions. 
We represent this order by =>•'. If a SNAP action returns the set of values, v, and labels, i, then 
v k and t k are the value and label written by the update* action that immediately proceeds 
the SNAP action in the =>' ordering. If a SNAP action is not proceeded by an UPDATE*, action, 
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then v k and t k are equal to their initial values. 

Lemma 4.1 Consider any well-formed, response-live behavior (3 where (3 € fairbehs(v CTSS). 
For any i,a and SNAP operation lj t] (sNAP), if either a > and ^(update) =>•' ij 6] (sNAP) 
in /?, or a = </ien; 

i. (t i [fll > »)<('i' 1 ,j)«'AcntVi. 

2. (fi a] ,i) = (tj i] ,j) or (tW,i) < (*W, j) when i = j. 

Proof: Let t max and i maj; be the t max and i max used in newlabel,- for LJ b \ Since f3 is well- 
formed, each process must read its current label when determining its new label. This fact, 
along with the fact that X in NEWLABEL,- is in 3? >0 , shows that the labels for all process are 
nondecreasing. In other words, a label for some process in a particular state of (3 is never larger 
than the label for the same process in a subsequent state of f3. Thus t\ a > < t max when a — 0. 
When a > 0, X- a] (uPDATE) =>•' ZJ 6] (SNAP) shows that t\ a] < t max . Consider the following 
cases: 

3 = imax and i ^ j : When j - i max , then t max = tj b ~ 1 \ Recall that t} a] < t max . Consider the 
cases t\ — t max and t}"' < t max separately. When t\ a = t max , then, since t max — tj , 
A = tj • Furthermore, since i / j and j = i max , i ^ i max . Since j = i ma:r , i ^ i max 
and </ a] = tj -1 , the definition of i ma;c shows that i < j. As a result of the action X] , 
tj b] = XZZ- Hence, t} a] = tj b] and i < j which implies that (i/ al ,t) < (tj b] ,j). Now 
consider the case t^ < t max . As a result of the action LJ , t j — l mK . Hence £,•" < tj 
which impUes that (t} a ,i) <C (tj ,j)- 

j = imax and i = j: As a result of the action LJ and the fact that j = i ma x, ^- = tmax ■ Since 
*/ a] < U^, it must now be the case that t} a] < tj b] . This implies that (t} a] , i) = (tj b] ,j) or 
(tl°\i)<(tj b \j). 

j 7^ imax' As a result of the action LJ and the fact that j ^ i max , t max < tj . Since t* < t maxi 
it must now be the case that t} a] < /j* 1 . This implies that (t}"\i) < (t- 6] , j)- 
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Corollary 4.2 Consider any well-formed, response-live behavior ft where (3 € fairbehs(v ctss). 
For any two LABEL operations L}"' and LJ , if h\ — ► LJ in (3, then: 

1. (tl"\i)<(tl b] ,j)wheni^j. 

2. (tl a] ,i) = (tj b] ,j) or (tl a] ,i) < (tj b \j) when i = j. 

Proof: If L\ a] — ► L [b \ then /^(update) =>' ZJ 6] (snap). Now Lemma 4.1 proves the 
corollary. ■ 

Consider any well- formed, response-live behavior f3 where (3 G fairbehs(v ctss). Define =>', 
a total order on all the snap and update operations of /3, as before. We now define a total 
order 6 =>• on the LABEL operations in (3 and a choice function c. Recall from Definition 2.8 that 
— ► defines a partial order on the operation instances of a well-formed, response-live behavior. 

Definition 4.2 (=* order) L\ a] =► LJ b] iff either L\ a] — ► LJ h] or (*! o] , t) < (t^J). ■ 

Definition 4.3 (choice function c) If S/ a] returns i; and ij 61 (uPDATE) is the UPDATE^ action 
that immediately proceeds 5, [al (SNAP) in =>', then c(i,a,j) = b. If no such UPDATE^ action 
exists, then c(i,a,j) — 0. ■ 

For the following lemmas assume that (3 is well-formed, response-live, (3 £ fairbehs(v ctss) , and 
— ► is defined as in Definition 2.8. Furthermore, =>• and c are defined as in Definition 4.2 and 
Definition 4.2 respectively. 

Lemma 4.3 The order =>■ is a total order on all LABEL operation instances in (3. 

Proof: In order to simplify the notation in this proof, we write L\ <C L\ instead of [t^ , i) <C 
(tj ,j). Since — ► is a partial order, it is irreflexive, antisymmetric, and transitive. By definition, 
<C is irreflexive, antisymmetric, and transitive. 

irreflexive: This follows immediately from the fact that — ► and <C are irreflexive. 

antisymmetric: To reach a contradiction assume that L\ => LJ and XJ => L t a . Since 
— > and <C are antisymmetric, we can assume without loss of generality that L- a ' — ► Lj and 



6 Lemma 4.3 proves that => is a total order. 
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Lf ] < L\ a] . Using the fact that z/ a] — ► LJ b] along with Corollary 4.2 we can conclude that 
L\ a] < L [b] or Z/ a] = ij* 1 . However, this contradicts the fact that ZJ 6] < Z,? a] . 

transitive: For a contradiction assume that Z; => XJ and Z ; => £j. c but Z, =56- L k . 
Consider the case where L} a] — ZJ 6] and ZJ 6] < Z] c] but if" 1 ~h L\ c] and X| a] < L[ e] . 
CoroUary 4.2 and the fact that L} a] — L [b] imply that Z/ a] < ZJ 6] or LJ a] = ZJ 6] . This fact 
along with the fact that ZJ 6] < z| cl implies that z/ a] < Zj[ cl . This contradicts that earlier 
assumption that Z/ a] it L[ c] . Since — > and < are transitive, the only other case is L} a] < Lf 
and ZJ 6] — » Z^ 1 but Z/ a] 7+ Z,[ c] and i/ al ^ lj e] . We use the same reasoning as in the 
previous case to show that this case also cannot arise. 

total: Consider any two label operations Ll a] and LJ b] . When i ^ j then L} a] and LJ b] are 
ordered by <C. When i = j then l}"' and Z- are ordered by — ► . 

Since => is irreflexive, antisymmetric, transitive and total, we can conclude that => is a total 
order. ■ 

Lemma 4.4 /? using </te order => and choice function c satisfies axiom PO. 

Proof: This follows immediate from the definition of c, the fact that /? is well-formed, and 
the definition of the SNAP and UPDATE actions. ■ 

Lemma 4.5 f3 using the order => and choice function c satisfies axiom PI. 

Proof: In order to simplify the notation in this proof, we write L}"' < LJ instead of (£,•" , i) < 
(tj b \j). From Lemma 4.3 we know that =>■ is a total order. Part a of PI, precedence, follows 
immediately from the definition of =>. For part b of PI, consistency, let S- ai return o { . There 
are four cases to consider: 

c(i, a,j) ^ and c(i, a, k) / 0: => If j < k in d, then, by the definition of d, in the SNAP; 
action, if' aj)1 < X| c(i ' a ' i)! . By definition of => this shows that ij c(i ' aj)1 =^> Z p'"'* 01 . 

«= If £.[*■■'■>■)] => £ ^> a ^ then either Zp' a ' j)1 — zF' a <* )] or Zp' a ' j)] « Z^ ^. 
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When LJ <i>aJ)] — ► 2,} c(, '' a '* )] Corollary 4.2 and the fact that j ^ Jfc show that Z j c(i ' a ' j)] < 
x W'.«.*)l. Now j < fc i n 6i since l| c(i ' aJ)1 < i| e( "' 0l * )] . 
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c(i,a,j) = and c(i,a, k) = 0: In this case the definition of c show that the tj and t k read 
by S/ a] (sNAP) are equal to their initial values, which are 0. Now the definition of o t in 
the SNAP action shows that j < k in o, if and only if j < k. 

c(i,a,j)=0 and c{i,a,k)^0: Lemma 4.1 shows that (tj e(i ' aJ) \j) < {t}- e(i,a,k) \k). Now the 
definition of o, in the SNAP action shows that j < k in o,. 

c(i,a, j) ^ and c{i,a,k) = 0: Lemma 4.1 shows that (t [ k c{i ' a ' k) \k) < (<j e( * ,aj ' )] ,j). Now the 
definition of o, in the SNAP action shows that k < j in o,. 



Lemma 4.6 /? using the order => and choice function c satisfies axiom P2. 

Proof: Consider S/ a] with c(j,a,i) > 0. By definition of c, i i [e °' ,o,0] (uPDATE) =>•' 5/ o] (snap). 
Hence S/" 1 -/♦ i/ 00 ''"'^ 1 . In order to prove that the second part of the axiom holds for /3 
we assume that there exists xf 1 such that z/ c(j ' a ' 0] _+ xf ] — * S/ o] . This implies that 
I i [c(j> ' ,)] (uPDATE) =>■' Z/ 6] (update) =>■' SJ a] (sNAP), which directly contradicts the defini- 
tion of c. Now consider S- a] where c(j, a, i) = 0. The definition of c shows that there exists no 
i/ 6] (uPDATE) such that /^(update) =>' ^(snap). Consequently, there exists no if ] such 
that L} i] — ► S/ a] . ■ 

Lemma 4.7 /? Msmg the order =>• and choice function c satisfies axiom P3. 

Proof: Consider S} a] — ► SJ h \ where c(i, a, k) > 0. By definition of c, £ j [ c(i,fl,fc)] (uPDATE) =>' 
S}" ] (skap) =>' S/* ] (snap). Now the definition of c and the fact that c(i, a, k) ^ c(j, b, k) imply 
that c(i,a,k) < c(j,b,k). When c(i,a,k) = the fact that c(i,a,k) f c(j,b,k) immediately 
shows that c(i, a, k) < c(j, b, k). ■ 

Lemma 4.8 f3 using the order => and choice function c satisfies axiom P4. 

Proof: Since S/ a] — > LJ h] , S/ o] (snap) =*' ZJ' ] (snap). Furthermore, the definition of c 
and the fact that c(i,a,k) > imply that L [ k {i ' a ' k) \ update) =>' 5, [<,1 (snap). Consequently, 
l| c(i '"' i)] (uPDATE) =►' X] 6] (snap). Now Lemma 4.1 implies that (t [ k c{i ' a ' k) \k) < (tj b \j). There- 
fore the definition of => implies that L k ''"' => LJ. ■ 
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Lemma 4.9 // a behavior j3, where (3 £ fairbehs(v ctss) , has a well-formed-input, then (3 is 
well-formed and response-live. 

Proof: Notice by inspecting the precondition clauses in the code of Figure 1 that for any 
equivalence class d of pari(ucTSs), there is always at most one action enabled. Furthermore 
each action remains enabled until it is executed. Consequently, the actions must be executed in 
the sequence in which they are enabled. Furthermore, in a fair execution each enabled action 
will eventually be executed. 

Now consider any fair execution that has a well-formed-input. The precondition-effects code 
in Figure 1 shows that the following sequence of actions is executed in response to a beginscan, 
input action: SNAP,-(f,-, v<) and ENDSCANj(o,, v,). In response to a BEGiNLABEL^ua/;) input 
action, the following sequence of actions is executed: SNAP,(f~-, Uj), update,-((<,-, v t ), (nt,-, val { )), 
and ENDLABEL,-. Also, no actions of C,- are enabled between the execution of an endscan^o^u,) 
or ENDLABELi action and the next execution of a BEGINSCAN,- or beginlabel^vo/,-) action. 
Inspection of these action sequences and the definitions of well-formed-preserving and response- 
live, immediately shows that UCTSS is well-formed-preserving and response-live. ■ 

We now have the necessary lemmas to show that UCTSS solves CTSS. 
Lemma 4.10 uctss solves CTSS. 

Proof: By inspection exsig(\JCTSs) = exsig(crss). In order to show that fairbehs(u ctss) C 
behs(CTSs) we consider any behavior (3 such that /3 G fairbehs(v ctss). If /3 does not have a well- 
formed-input, then (3 e behs(cTSs) trivially. So, assume that /3 has a well-formed-input. Now 
Lemma 4.9 shows that (3 is well formed. Define an order => and a choice function c as in Defini- 
tion 4.2 and Definition 4.3 respectively. Now, Lemma 4.4, Lemma 4.5, Lemma 4.6, Lemma 4.7, 
and Lemma 4.8 show that /?, =>• and c satisfy axioms P0-P4. Hence (3 e behs(cTSs). ■ 

5 A Bounded Concurrent Timestamp System 

In this section we present our bounded implementation of a concurrent timestamp system, 
BCTSS. BCTSS differs from UCTSS in three ways: the structure of the labels, the order between 
labels, and the manner in which NEWLABEL, determines new labels. In all other aspects bctss 
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NEXT(fc) = i 



Figure 4: A graphical illustration of the < A order between the elements of A = {1 . . .5} 

and UCTSS are identical. Recall that a label in UCTSS is an element of K + . In BCTSS, labels 
are taken from a different domain. In order to construct the new domain we introduce the set 
A - {1 . . .5}. We define the order -< A and the function NEXT on the elements of A. 

1^^2,3,4,5; 2^3,4,5; 3 < A 4; 4^5; 5^3. 

The graph in Figure 4 represents -< A , where a < A b iff there is a directed edge from b to a. 

k + 1 ifke {1,2,3,4} 
3 if k = 5 

A BCTSS label is an element of A"' 1 , where n is the number of processes in the system. We refer 
to elements of A"' 1 using array notation. Specifically, the h th digit of label £ will be denoted 
by £[h]. Since we have redefined the label type, we must specify the order that is to be used 
between elements of A"' 1 for the < order in the SNAP; action. The order between elements of 
A n ~ l is represented by the symbol -< and will be a lexicographical order based on -< A . 

Definition 5.1 (-< order) £ { < lj iff there exists h e {1 . . .n - 1} such that £ ( [h'] = £j[h'} for 
all h' < h and li[h] -< A tj[h). ■ 

Example 5.1 4 . . .4.5.2 -< 4 . . .4.3.1 



Lemma 5.1 If£ x and £ 2 are elements of A"' 1 then exactly one of the following is true: £ x < £ 2 , 
£ 2 <£ x , or£, =£ 2 . 

Proof: If a, b £ A, then by definition of < A exactly one of the following is true: a -< A b, 
b -< A a or a = b. The lemma now follows since -< is a lexicographical order defined by < A . ■ 
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We define the following notation and functions for bctss labels: 

Definition 5.2 (= equivalence relation) For any h G {0 . . .n - 1}, £ x = £ 2 iff £\[h'\ = £ 2 {h'\ 



n-1 



for all h' < h. Note that £ x = £ 2 implies that £ x = £ 2 



h-l 



Definition 5.3 (nextlabel) For any h G {l...n - 1}, £' = nextlabel(^, h) iff £' = £, 
£'[h] = next(^[/i]) and £'[h'] = 1 for all h! G {h + 1 . . .n - 1}. ■ 



Definition 5.4 (cycle) For any h G {1 . . .n - 1}, €' G cycle(/,Ji) iff *' = * and £'[h] G 
{3,4,5}. ■ 

Lemma 5.2 yl se< £ of labels is not totally ordered by < iff there exist £ x ,£ 2 ,£ 3 G C and 
fee {1... n-l} such thatl x h = £ 2 h = £ 3 and {£ x [h],£ 2 [h],£ 3 [h}} = {3,4,5}. 

Proof: => The < ordering on C is irreflexive by definition and antisymmetric by Lemma 5.1. 
Therefore, it must be that transitivity does not hold. Specifically there exist £ x ,£ 2 ,£ 3 G C 
such that It < £ 2 -< £ 3 , and £ x -£ £ 3 . By Lemma 5.1 it cannot be that £ x = £ 3 , therefore 
£ 3 -< £ x . Since -< is a lexicographical order, there must exist h G {l...n — 1} such that 
t x h = 1 £ 2 h = 1 t 3 and £ x [h] < A £ 2 [h] < A £ 3 [h] and £ x [h] -£ A t 3 [h]. Now by definition of A, 
{£i[h],£ 2 [h],£ 3 [h]} = {3,4,5}. 

-<= By definition of A we can conclude without loss of generality that £ x [h) < A £ 2 [h] <a £d,[h] 
and £ x [h] -fi A £z[h}. Since £ x = £ 2 = £ 3 and -< is a lexicographical order, £ x -< £ 2 -< £ 3 , and 
£ x / £ 3 . Hence, £ x ,£ 2 , and £ 3 are not totally ordered. ■ 

We now define some functions on the states of bctss. In order to reason about the states 
of the system we introduce the notation 6. a; to refer to the variable x in state b. For a state b 
and any label £ in state b: 

Definition 5.5 (agree) For any he {0... n-l}, AGREE(b.£,h) = {j\ b.tj = b.£}. ■ 

Definition 5.6 (num) For any h G {0 . . .n - 1}, nvu(bl,h)= \AGREE(b.£,h)\. ■ 

Definition 5.7 (num*) For any h G {0 . . .n - 1}, NUMi(b.£,h) = \AGREE(b.£,h) - {i}\. ■ 

Definition 5.8 (choice vector) A choice vector for state 6 is any vector (b.£ x . . .b.£ n ) such 
that b.£ t G {b.ti,b.nti} for each i. ■ 
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FULL;(/i), h £ {1 . . .n - 1} 




if NUM,-(i m „,/i) > n- h 




then return (irue) 




else return (false) 




NEWLABEL; (f;) 




11 I ^ l mM 




then /i' <— minimum fte{l...n-l} such that FULL;(/i) = 


true 


return (NEXTLABEL(f mar , h')) 





Figure 5: Code for newlabeL; of bctss 

Definition 5.9 (tot) tot(6) = true iff the set of values in every choice vector is totally 
ordered by -<; otherwise tot(6) = false. ■ 

Recall that the second difference between uctss and bctss is the < order that is used in 
SNAP;. We define <C for BCTSS lexicographically. 

Definition 5.10 (< order) (£ { , i) < (l h j) iff either £ t -< £j or £ { = £j and i < j. ■ 

In any state b in which tot(6) = true, <C defines a total order. 

We now define b.t max and b.i max for a state, b, in which tot(6) = true. Consider the choice 
vector (b.ti . . .b.t n ). Since tot(6) = true, there must exist i € {1 . . .n} such that, for all j ^ i 
and j 6 {l...n}, b.tj ■< b.ti. Let b.t max = b.ti. Let b.i max be the largest index j such that 

"«tj — "'''max ' 

The final difference between bctss and UCTSS is in the code for newlabel,-. Recall that in 
UCTSS, NEWLABEL,- nondeterministically picks a real number that is larger than t max . In BCTSS, 
NEWLABEL; also picks the new label based on t max . In states in which tot(6) = true, b.t max 
and b.i max are defined. We let NEWLABEL; be a no-op for states in which tot(6) = false. In 
Section 6 we will show that tot(6) = true for all reachable states. When i max is defined and 
i ^ imax, NEWLABEL, finds the minimum h such that at least n-h i-labels, excluding t t , agree 
with the prefix of t max up to and including the h th digit. Then the new label is the same as 
tmax for the first h - 1 digits, it differs from t max at the h th digit based on the function next, 
and its remaining digits are equal to 1. The code for NEWLABEL; of BCTSS is given in Figure 5. 
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NEWLABEL, finds the minimum integer h such that FULL,(/i) returns true. We now show 
that such an h exists in {1 . . .n - 1}. The code that finds h is executed only when i ^ i max . 
Notice that NVMi(t max ,n - 1) > 1 when i ^ i max , hence FULL^ra - 1) = true. 

The initial values for the labels in BCTSS are: t { = nt { = l" -1 , 6 { = (1 . . .n), v t = (v„ . ..v„), 
t { = (1" _1 . . . l n_1 ), v t = vali = v , opt — NIL, and pc t = NIL. 

6 Invariants 

For use in the simulation proof we define the following invariants: 

Theorem 6.1 If b is a reachable state of bctss then, for all i £ {1 . . .n}: 

I: tot(6) = true. 

//: If i — b.i max then b.ti = b.nti. 

Ill: Ifb.t max -< b.nU then there exists he {1 .. .n-1} such that b.nti = NEXTLABEL(6./ maa; , h). 

IV: If b.nti ^ b.t max then for any h € {1 . . .n - 1}, if b.ti — b.t max then b.nti = b.t max . 

V: For any h € {I. . .n - I}, if b.nti e CYCLE(6./ mar , h) then b.U = b.t max . 

VI: For any he {l...n-l}, 

a: if b.nti = NEXTLABEL(6.Z maj; ,/i) then NUM,-(6.i mar , h - 1) > n - h. 
b: if b.t max [h] ^ I then Nvu(b.t max ,h - I) > n-h + 1. 



I, II, and III are used in the simulation proof. We use an induction argument to show that 
all reachable states of BCTSS satisfy these invariants. The purpose of invariants IV - VI is to 
strengthen the induction hypothesis enough so that I can be proven. The only action that can 
cause invariant I to be violated is snap,- when op { = LABEL;. Specifically, we must show that 
the new nti picked by newlabel,- does not introduce any cycles in the -< order of the Mabels 
and nf-labels. Since the newlabel^ code can examine the all of the /-labels, the code can 
be written to avoid any cycles involving nt t and the Mabels. However, the NEWLABELj code 
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cannot examine the local nMabels of the other processes. In order to show that cycles that 
include nti and nMabels are avoided, invariants IV and V are used to limit the possible values 
of the nMabels based on the corresponding Mabels. 

For example invariant IV implies that nti = t t when £,- = t max f° r a ll n ^% ^ tmax- If 
nti is in the cycle at level h, in other words n/,-[/i] € {3,4,5}, then invariant V states that 
nti h = t { . Now assume that NEWLABEL,- picks nti = NEXTLABEL(2 ma *, h). Then the code for 
NEWLABEL;, using the function FULL,, limits the number number of Mabels that are — t max 
and consequently the number of Mabels that are = nti ■ Now invariant V can be used to limit 
the number of nMabels that could, by being in the cycle at level h, cause a cycle to occur with 
the new nti. 

Invariant III gives information about the structure of nMabels that are >- t max . This 
information is used to determine how the new ni, is ordered with respect to any nMabels that 
are X t max . Finally invariant VIb is used to prove invariant V, and invariant Via is used to 
prove VIb. If a new label nti is picked in the cycle at level h then it must be that t max [h] ^ 1; 
hence VIb applies. VIb says that NVM(t max ,h - 1) > n - h + 1. The code for newlabel* 
insures that NUM,-(£ max , h — 1) < n — h+ 1. Thus it must be the case that t, = t max . This is 
precisely what is required to prove invariant V. 

The proof of Theorem 6.1 uses induction. It depends on a series of lemmas, one for the 
initial state and one for each action in the inductive step. 

Lemma 6.2 The initial state b of BCTSS, satisfies invariants I - VI. 

Proof: This follows from the fact that i.i, = b.ntj = 1" _1 for all i, j £ {1 . . .n}. ■ 

Lemma 6.3 Let b be a state of bctss that satisfies I - VI. If (b,ir,b') is a step of bctss 
where ir £ {beginscan*, ENDSCAN i (d i , v k ), BEGlNLABEL t (ua/jt), endlabel*} for any k, then b' 
satisfies I - VI. 

Proof: None of the Mabels or nMabels change as a result of n. This suffices to show that b' 
satisfies I - VI. ■ 

Lemma 6.4 Let b be a state of BCTSS satisfying I - VI. If (b, u?DATE k ((t k , v k ), (nt k , val k )),b') 
is a step of bctss for any k, then b' satisfies I - VI. 
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Proof: The proof is divided into a series of claims. By invariant I for state 6, b.t max and 
b-i max are defined. We split the argument into two cases: k = b.i max and k ^ b.i max . Consider 
k = b.i max first. 

Claim 6.4.1 If k = b.i max , then b' satisfies I - VI. 

Proof: By invariant II for state b, b.t k — b.nt k . Thus, none of the Mabels or nMabels change 
for BCTSS. This suffices to show that b' satisfies I - VI. ■ 

So assume that k / b.i max for the remainder of the proof. 

Claim 6.4.2 If k ^ b.i max then I is true in b' . 

Proof: Assume for a contradiction that TOT(6') = false. Since TOT(6) = true and t k is the 
only label that changes, the choice vector whose values are not totally ordered must include 
b'.t k . Now consider the same choice vector except that we substitute b'.nt k for b'.t k . Since 
b'.t k = b'.nt k , this new choice vector's values are also not totally ordered. Since none of the 
labels in this new choice vector change as a result of the action, the same choice vector must 
not have had its values totally ordered in state b. However this contradicts the assumption that 
TOT(6) = true. ■ 

Having proved invariant I we now know that b'.i max and b'.t max are defined. The proof for 
II - VI is subdivided into the following two cases: b.nt k ■< b.t max and b.t max -< b.nt k . Assume 
first that b.nt k < b.t max . 

Claim 6.4.3 If k ^ b.i max and b.nt k ■< b.t max then b'.t max — b.t max and b'.i max — b.i max or 

Proof: Let z = b.i max , then b.t z — b.t max and z ^ k. We show first that V .t { -< b.t z for all i. 
First consider i ^ k. Since t k is the only label that changes, b'.ti = &.*,-. Therefore, the fact that 
b.ti ^ b.t z implies that b'.ti < b.t z . Now let i = k. As a result of the action, b'.t { = b.nt { . By 
assumption b.nt t ^ b.t z , so b'.ti ^ b.t z . Since z ^ k,t z does not change, so we can conclude that 
b'.nti -< b'.t z for all i. This implies that b'.t z = b'.t max . The following identity now establishes 
the first part of the claim: b.t max — b.t z = b'.t z = b'.t max . 
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Let S = {i\b.ti = b.t max } and S' = {i\V.t t = &'.* ma *} Then, 6.i mar = max(S) and &'.i m „ = 
max(5'). Since t k is the only Mabel that changes and b'.t max = b.t max , S' = 5 or S' = S - {k} 
or 5" = S U {fc}. When 5' = S then max(S') = max(5). Let z = 6.i mor . Since fc ^ &.t m «, the 
definition of b.i max shows that z G 5 and fc < z when i€5. Consequently, when S' = S - {k} 
then max(S') = MAX(S). Finally, when S' = SU{k} then max(S') = MAx(5) or max(5") = fc. 
This shows that b'.i max = b.i max or b'.i max = k. ■ 

Claim 6.4.4 If k ^ b.i max and b.nt k < b.t max then KVM(b'.t max ,h) > NUM(&.t m „«, h) and 
NVMi(b'.t max ,h) > NVMi(b.t max ,h) for all i and h. 

Proof: The Claim follows immediately if we show that AGKEE(b'.t max , h) D AGKEE(b.t max , h). 
Suppose i G agree(6. t max ,h). If i ^ k, then since U does not change and, by Claim 6.4.3, 
tmax does not change, i G AGREE(6'.i mar ,/i). Now consider i = k. By definition of AGREE, 
b.ti = b.t max . Since b.nti ^ b.t max , IV for state b implies that b.nt { = b.t max . As a result of the 
action b'.ti = b.nti, so 6' .t, = b.t max . This fact along with the fact that t max does not change 
implies that i G AGKEE(b'. t max ,h). ■ 

Claim 6.4.5 If k ^ b.i max and b.nt k < b.t max then b' satisfies II - VI. 

Proof: We proceed with a case analysis. Consider any i G {1 . . .n} and h G {1 . . .n — 1}. 

II: Suppose i = b'.i max . By Lemma 6.4.3, i = k or i = b.i max . First consider i = k. As a direct 
consequence of the action, b'.ti = b'.nti. Now consider i = b'.i max where i 7^ A;. In this 
case II holds for b' since ti and n£; do not change, and II holds for b. 

Ill: III holds for b' since t max and n/,- do not change, and III holds for b. 

IV: First consider i — k. As a consequence of the action b'.ti = b'.nti. Hence, b'.ti — V .t max 
implies that b'.nti = b' .t max for all h. Now consider i ^ k. Since IV holds in state b, and 
tmax, ti an d n U do not change, IV holds for state b'. 

V: First consider i = k. b'.nt { G CYCLE(b' .t max , h) and the definition of CYCLE imply that 
b'.nti = b'.t max . As a consequence of the action, b'.ti — b'.nti. Hence, b'.ti = b'.t max . 
Now consider i ^ k. In this case V is true in b' since t t , nt { , and t max do not change and 
V is true in b. 
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VI: Since nf, and t max do not change, b'.nti = NEXTLABEL(&'.i ma *, h) implies that b.nU = 
NEXTLABEL(6.f maa; ,/i), and b'.t max [h] ^ 1 implies that b.t max [h] £ 1. By Claim 6.4.4, 
KVM(b'.t max ,h)> KVM(b.t max ,h) and NVMi(b'.t max ,h) > NUM,-(&.t mM .,fe). Hence, VI holds 
for state b' since it holds for state b. 



Claim 6.4.5 shows that II - VI hold when b.nt k < b.t max . For the remainder of the proof 
assume that b.t max -< b.nt k . 

Claim 6.4.6 If k ^ b.i max and b.t max -< b.nt k then b'.t max = b'.t k and b'.i max = k. 

Proof: We proceed by showing that b'.ti -< b'.t k for all i ^ k. From the definition of t max and 
the assumption that b.t max -< b.nt k , we know that b.ti < b.t max -< b.nt k . Let z - b.i max then 
b.t z = b.t max and z ^ k. Since k ^ z, k ^ i, and b.t z - b.t max , there exists a choice vector 
that includes the values b.ti,b.t max , and b.nt k . Since tot(6) = true, the values in this choice 
vector are totally ordered. Hence, b.U ■< b.t max -< b.nt k implies that b.t { < b.nt k . As a result of 
the action b.nt k = b'.t k and t t does not change. Therefore, b.t { -< b.nt k implies that b'.ti < b'.t k . 
Hence b'.t max — b'.t k . Since k is the only process index for which b'.t max — b'.t k , b'.i max = k. ■ 

The following Claim lists some of the properties of b'.t max . 

Claim 6.4.7 If k ^ b.i max and b.t max ■< b.nt k then there exists h' e {1 . . .n - 1} such that: 

1- b'.t max = b'.t k = b'.nt k = b.nt k = NEXTLABEh(b.t max ,h'). 

2. b'.t max [h] = 1 for all h > h' . 

3. For all i, b'.nti = b'.t max implies that b'.nti = b'.t max . 

4- There exists no i ^ k such that b'.ti = b'.t max . 

5. NUM(6'.t maJ .,ft) > UVM(b.t max ,h) and XVMi(b'.t max ,h) > NUM,(6.t max ,/i) for all i and all 
h<h'. 

Proof: By invariant III for state b and the assumption that b.t max -< b.nt k , we conclude that 
b.nt k = NEXTLABEL(6.f max ,/i') for h' e {1 ■ • .n - 1}. Fix h' . 
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1: By Claim 6.4.6 b'.t max = b'.t k . The fact that b'.t k = b'.nt k = b.nt k is a direct con- 
sequence of the action VPBATE k ((t k ,v k ),(nt k ,val k )). Finally, we have already shown that 
b.nt k = NEXTLABEL(6J majr ,/l'). 

2: This follows directly from the definition of NEXTLABEL. 

3: Suppose that b'.nti = b'.t max . First consider i ^ k. The fact that nt { does not change and 
part 1 of the claim show that b.nti = b' .nt t = b'.t max = NEXTLABEL(6.i mar ,/i')- Consequently, 

/ h' — 1 

b.nti = NEXTLABEL(6.< max ,/i'). Now the definition of NEXTLABEL implies that b.nti = b.t max 
and b.nti[h'] = NEXT(6.* max [/i']). Thus b.t max -< 6.n«,-. Now III for state b implies that 
b.nti = NEXTLABEl(b.t max ,h) for some h € {1 . . .n - 1}. Since 6.ntj[V] = NEXT(6.i ma »[/i']), 
/i = ti. Hence, i'.rai, = 6.nf,- = NEXTLABEL(i./ mar ,/i') = b'.t max . Now consider i - k. In this 
case b'.t max — b' .nt k by part 1 of the claim. 

4: We proceed by contradiction. Assume that there exists i / k such that b' .ti = b'.t max . 
Since i,- does not change as a result of the action, b.ti = b' .ti = b'.t max = NEXTlABEL(b.t max ,h'). 
Consequently, b.t { = NEXTLABEL(6.tf mar , h'). Now the definition of NEXTLABEL implies that 
b.ti '*= 1 b.t max and &./,[/*'] = NEXT(b.t max [h'}). Thus b.t max -< b.U. This contradicts the defini- 
tion of b.t max . 

5: Let h < hi . Part 5 of the Claim follows immediately if we show that AGREE(6'.f maa: ,/i) D 
AGKEE(b.t max ,h). Suppose i £ AGREE(b.t max , h). If i ^ k, then t { does not change. By part 1 of 
claim and the definition of NEXTLABEL, b'.t max - b.t max . Now the definition of AGREE implies 
that i e agree(6'. t max ,h). Now consider i = k. Part 1 of the claim shows that b 1 .ti — b'.t max . 
Hence i G AGREE(6'.£ mor , /&). ■ 

The remainder of the proof is structured as a series of claims, one for each of the five 
remaining invariants. Fix h' to be the h' defined by Claim 6.4.7. Parts 1-5 of Claim 6.4.7 will 
be used throughout the remaining claims. 

Claim 6.4.8 If k ^ b.i max and b.t max -< b.nt k then II is true in V . 

Proof: By Claim 6.4.6 b'.i max = k. Part 1 of Claim 6.4.7 shows that b'.t k = b'.nt k . ■ 

Claim 6.4.9 If k ^ b.i max and b.t max -< b.nt k then III is true in b' . 
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Proof: Consider any i such that b'.t max < b'.nti. By part 1 of Claim 6.4.7, b'.t max = b'.nt k 
so b'.t max -< b'.nti implies that i ^ k. Furthermore, nt t does not change as a result of the 
action and part 1 of Claim 6.4.7 shows that b'.t max = b.nt k . Hence b'.t max -< b'.nti implies 
that b.nt k < b.nt t . By assumption b.t max -< b.nt k , so b.t max -< b.nt k < b.nti. Now consider 
two cases, i - b.i max and i ^ b.i max . When i = b.i max , invariant II shows that b.t max = b.nti. 
This implies that b.nt { -< b.nt k -< b.nti which is impossible by Lemma 5.1. Therefore, it must 
be that i ^ b.i max . Since b.i max f i and b.i max ^ k there must exist a choice vector that 
includes the values b.t max ,b.nt k , and b.nti. Since tot(6) = true, the values in this choice vector 
are totally ordered. Hence, b.t max < b.nt k -< b.nti implies that b.t max < b.nti. Now III for 
state b and the fact that nU does not change show that b'.nti = NEXTLABEL(6.f ma *, h) for some 
he {l...n - 1}. Since b'.nti = KEXTLABEh(b.t max ,h), b'.t max = NEXTLABEh(b.t max ,h'), and 
b'.t m a X < b'.nti, it must be that h < h' . Hence b'.nti = NEXTLABEL(6'.i mar ,/i), which directly 
implies that I holds for state b'. ■ 

Claim 6.4.10 If k ^ b.i max and b.t max -< b.nt k then IV is true in b' . 

Proof: Let b.'nU ■< b'.t max . First consider i = k. By part 1 of Lemma 6.4.7, b'.nt k = b'.t max , 
which directly implies IV. Now consider i ^ k and any h: 

h < h': Part 1 of Claim 6.4.7 and the definition of NEXTLABEL show that V .t max = b.t max when 
h < h' . Now consider two cases: b.nti < b.t max and b.nti -£ b.t max . When b.nti ^ b.t max , 
IV for state b shows that b.ti = b.t max implies that b.nti = b.t max . Now IV is true in V since 
ti and nti do not change and b'.t max — b.t max . Now consider the case b.nti ~h b.t max . By 
Lemma 5.1, b.t max X b.nt { . Now III for state b shows that b.nti - NEXTLABEl(b.t max ,hi) 
for some h t £ {1 . . .n - 1}. Furthermore, Since nt { does not change, the assumption that 
b'.nti ^ b'.t max impUes that b.nt { X b'.t max . Finally, part 1 of Claim 6.4.7 shows that 
b'.t max - NEXTLABEl(b.t max ,h'). Using these facts and the definition of NEXTLABEL we 
can conclude that h t > h'. Therefore, b.nti = b'.t max . Since nt { does not change, this 
implies that b'.nti = b'.t max . This suffices to show that IV is true in b'. 

h > h': Part 4 of Claim 6.4.7 shows that b'.ti £ b'.t max . Hence, IV is vacuously true in b'. 
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Claim 6.4.11 If k ^ b.i max and b.t max -< b.nt k then V is true in b' . 

Proof: Suppose b'.nti G cycle(6'. t max ,h) for some i and h. The definition of CYCLE implies 



h-l 



that b'.nti = b'.t max . We consider two cases: 

h < h': First consider i ^ k. Part 1 of Claim 6.4.7 and the definition of nextlabel show that 
b'.t m ax h = b.t max . Thus, V is true in b' since U and nt { do not change, cycle(6' .t max ,h) 
depends only on b'.t max [l ...h-l], and V is true in b. Now let i = k. In this case, part 
1 of Claim 6.4.7 shows that b'.ti - b'.t max . This suffices to show V. 

h > h'l Since b'.nti h = b'.t max and h > h', it foUows that b'.nti = b'.t max . Thus part 3 of 
Claim 6.4.7 implies that b'.nti = b'.t max . By part 2 of Claim 6.4.7, b'.t max [h] = 1. Thus 
b'.nU[h] = 1, which implies that b'.nti <£ CYChE(b'.t max ,h). This contradicts our original 
assumption that b'.nti & CYCLE(b'.t max , h). Therefore this case cannot arise. 



Claim 6.4.12 If k ^ b.i max and b.t max -< b.nt k then VIb is true in b'. 

Proof: Assume that b'.t max [h] / 1. We proceed with a case analysis: 

h < h': Part 1 of Claim 6.4.7 and the definition of NEXTLABEL show that b'.t max = b.t max . 
Thus b'.t max [h] ^ 1 implies that b.t max [h] ^ 1. Since b.t max [h] ^ 1 and VIb is true 
for b, KVM(b.t max ,h - 1) > n - h + 1. By part 5 of Claim 6.4.7 KVM(b'.t max ,h - 1) > 
nvu(b.t max , h - 1). Thus, nvu(b'.t max ,h -l)>n-h+l which implies that VIb is true 
for b'. 

h = h! and b.t max [h] ^ 1: Since b.t max [h] ^ 1 and VIb is true for 6, NUM(6.i mar , h-l) > n-h+1. 
By part 5 of Claim 6.4.7 NUM(6'.t mar ,/i- 1) > Jivu(b.t max ,h-1). Thus, Nvu(b'.t max ,h- 
1) > n — h + 1 which implies that VIb is true for b'. 

h = h' and b.t max [h] = 1: Part 1 of Claim 6.4.7 and the fact that h' = h imply that b.nt k = 
NEXTLABEl(b.t max ,h). Since b.nt k - NEXTLABEh(b.t max , h) and Via is true for state 
b, Nvu k (b.t max ,h - 1) > n - h. By part 5 of Claim 6.4.7 N\JM k (b'.t max , h - 1) > 
NVM k (b.t max ,h - 1). Thus, NVM k (b'.t max ,h - 1) > n - h. Since b'.t max = b'.t k , k G 
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agree(6'. t max ,h). Therefore Nvu(b'.t max ,h - 1) > KVM k (b'.t max ,h - 1) > n - h. Thus, 
NVM(b'.t max ,h- 1) > n - h + 1, which implies that VIb is true for V . 

h > h': Part 2 of Claim 6.4.7 and the fact that h > h' imply that b'.t max [h] = 1. This contradicts 
the assumption that b'.t max [h] ^ 1. Therefore, this case cannot arise. 

■ 
Claim 6.4.13 If k ^ 6.i maE and b.t max ■< b.nt k then Via is true in b' . 
Proof: Let b' .nt { = NEXTLABEL(6'.i maj; , h) for some h and i. We proceed with a case analysis: 

h < h'\ Part 1 of Claim 6.4.7 and the definition of NEXTLABEL show that b'.t max = b.t max . Now 
the fact that nt { does not change and the fact that b'.nti = HEXTLABEh(b'.t max ,h) imply 
that b.nti = NEXTLABEL(>.* mar , h). Since b.nU = NEXTLABEL(6.< mar , h) and Via is true in 
state 6, xVMi(b.t max ,h-l) > n-h. Part 5 of Claim 6.4.7 shows that NUM,-(6'.i mar , h-1) > 
NVUi(b.t max ,h- 1). Therefore, mUi(b'.t max ,h - 1) > n - h which implies that Via is 
true for b'. 

h - h' 7 : Using part 1 of Claim 6.4.7 and the definition of nextlabel we can conclude that 
b'.t max [h] = NEXT(6.* m „[/»]). There exists no z G A such that next(z) = 1. Hence 
b'.t max [h] / 1. Claim 6.4.13 implies that VIb holds for state V . Since b'.t max [h] / 1, VIb 
for state 6' implies that ^vu(b'.t max , h- 1) > n-h + 1. Thus nvMi(b'.t max , h- 1) > n-h 
and Via is true in state b' . 

h > h': The fact that b'.nti = NEXTLABEh(b'.t max ,h) and the definition of nextlabel imply 
that b'.nti h = b'.t max . Now part 3 of Claim 6.4.7 and the fact that h > h' imply that 
b'.nti = b'.t max . Thus b'.nti ^ nextlabel(6'. t max ,h) which contradicts our assumption 
that b'.nti = NEXTLABEL(6'.i max , h). Therefore, this case cannot arise. 



We now complete the proof of the lemma. To show that b' satisfies I - VI we consider two 
cases: k = b.i max and k / b.i max . Claim 6.4.1 shows that b' satisfies I - VI when k = b.i max . 



7 Actually, this case cannot arise. However, the argument that proves that the case cannot arise is more 
complicated that the argument that proves that Via is satisfied if the case does arise. 
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When k ^ b.i max Claim 6.4.2 shows that invariant I holds in state b'. The proof for invariants 
II - VI is subdivided into two cases: b.nt k -< b.t max and b.t max < b.nt k . Claim 6.4.5 shows 
that II - VI hold when b.nt k ^ b.t max . Claim 6.4.8, Claim 6.4.9, Claim 6.4.10, Claim 6.4.11, 
Claim 6.4.12 and Claim 6.4.13 each consider one of the invariants to show that II - VI hold 
when b.t max -< b.nt k . ■ 

Lemma 6.5 Let b be a state of BCTSS that satisfies I - VI. If (b, SNAP k (t k , v k ),b') is a step of 
BCTSS for any k, then b' satisfies I - VI. 

Proof: Note that none of the Mabels or nMabels change when op k = SCAN*. Therefore, 
assume that op k = LABEL^. The proof is divided into s series of claims. First consider the case 
where k = b.i max . 

Claim 6.5.14 If k = b.i max then b' satisfies I - VI. 

Proof: The definition of SN\v k (t k ,v k ) for BCTSS shows that no labels change. This suffices 
to show that b' satisfies I - VI. ■ 

So assume that k ^ b.i max for the remainder of the proof of the lemma. By definition of 
NEWLABELjt, b' . nt k - NEXTLABEL(6.i mai , h') for some h' e {l...ra - 1}. Fix h'. Note, by 
definition of NEXTLABEL, b.t max -< b'.nt k . 

Claim 6.5.15 If k ^ b.i max then K\JM k (b.t max ,h') = UUM k (b.t max , h' - 1) = n - h! . 

Proof: By definition of NEWLABELjt, FULLjt(/i') returns true in state 6, so NVM k (b.t max ,h') > 
n - h'. Moreover, FVhh k (h' — 1) returns false in state b, therefore NUU k (b.t max ,h' - 1) < 
n-{h' -1). But by definition, NUMjt(6.i mar ,/i'- 1) > NVM k (b.t max , h') so N\JM k (b.t max , h' - 1) = 
KVM k (b.t max ,h') = n- h'. m 

Claim 6.5.16 If k ^ b.i max then I is true in V . 

Proof: For a contradiction assume that tot(6') = false. Then there must exist a choice vector 
C whose values are not totally ordered. By Lemma 5.2, there exists b'.li,b'.£j,b'.£ z 6 C such 
that b'li h = b'.£j h = b'.£ z and {b'.t i [h],V.£ j [h],b'.£ ll [h]} = {3,4,5} for some h G {1 . . .n - 1}. 
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Since b'li,b'lj and b'l z are elements of a choice vector, b'li G {b'-U, b'.nti}, V 1, G {b'.tj, 
b'.ntj}, b'l z 6 {b'.t z , b'.nt z } and i ^ z, j ^ z, j / i. By I for state b, TOT(b) = true. Therefore 
the values of C for state b must be totally ordered. The only label that changes as a result of 
the action is nt k . Consequently, we can assume without loss of generality that b'l z = b'.nt k 
and z = k. Furthermore, since i / k and j ^ k, £ t and tj do not change as a result of the 
action. Thus, bli = V .£ { and blj = b'lj. Now we can conclude that: 

bli h = b.£j h =b'.nt k and {b li[h], b 1 j[h], b'. nt k [h]} = {3,4,5}. (1) 

Recall that b'.nt k = NEXTLABEL(6.2 mor , ti). We will now show that h = ti . Let z = b.i max , 
then &.tj = b.t max . Since A; ^ b.i max , k ^ z. The definition of NEXTLABEL implies that 

h' — 1 

6.^ = b'.nt k . For a contradiction assume that /i < ti. Now substitute 6.^ for b' .nt k in 
Equation 1 to conclude that bli h = blj h = b.t z and {bli[h],blj[h],b.t z [h]} = {3,4,5}. By 
Lemma 5.2 any set of labels containing bli, blj, and b.t z is not totally ordered. We now show 
that i ^ z and j ^ z since this will allow us to conclude that there exists a choice vector 
that includes bli, blj, and b.t z . Since {bli[h],blj[h],b.t z {h}} = {3,4,5}, and bli G {b.U,b.nti} 
either b.ti[h] ^ b.t z [h] or b.nti[h] ^ 6.< z [/»]. If i = z the former is clearly impossible and the 
later is impossible since b.nt z = b.t z by invariant II. Thus i ^ z. The same argument shows 
that j ^ z. Now we have a choice vector for state b whose values are not totally ordered. The 
existence of such a choice vector contradicts invariant I for state b. Thus h <£ ti . The definition 
of nextlabel implies that b'.nt k [h"] = 1 for all h" > ti. Since b'.nt k [h] G {3,4,5}, h ? ti. 
Now h ■£ ti and h ^ ti so h = ti . 

We now construct a set of labels which is not totally ordered and which includes b.t max 
and b'.nt k . First show that b.t max [ti] G {3,4,5}. Since b'.nt k [ti] G {3,4,5}, the definition of 
nextlabel implies that b.t max [ti] G {2,3,4,5}. We proceed by showing that b.t max [ti] ^ 2. 

h' — 1 

In order to reach a contradiction we assume that b.t max [h'] = 2. Since b.t max = b'.nt k 
and b'.nt k *=* b.l { , b.t max *=* bl { . Furthermore, b.t max [ti] = 2 and bli[ti] G {3,4,5} thus 
b.t max [h'] -< A bli[h']. Consequently, b.t max -< 6.4 • We consider the cases bli — b.t t and bit = 
b.nti separately. When bl, = b.t t , b.t max -< &.<,-, which contradicts the definition of b.t max . Thus, 
this case cannot arise. When bli — b.nti, b.t max -< b.nti. Now invariant III and the definition 
of NEXTLABEL imply that b.nti[ti] = b.t max [ti] or b.nt { [ti] = N EXT (b.t max [h']) or b.nti[ti] = 
1. Thus, when b.t max [ti) = 2, b.nti[ti] g" {4,5}. Therefore we can conclude that bl^ti] g 
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{4,5} when b.t max [h'] — 2. Using the same argument we can show that b.£j[h'] $. {4,5} when 
b.t max [h'] = 2. This contradicts Equation 1 according to which {b.£i[h'],b.£j[h'],b'.ntk[h']} = 
{3,4,5}. Thus b.t max [h') / 2 and b.t mar [h'] € {3,4,5}. 

Since {b.£ i [h'],b.£j[h'],b'.nt k [h']} - {3,4,5}, using the definition of -< A , we can assume 
without loss of generality that: 

b.£ i {h , )< A b.£ i [h'}^ A b'.nt k [h 1 } and b.£i[h'] ^ A b'.nt k [h']. (2) 

Recall that z = b.i max: b.t z = b.t max , b.t z = b'.nt k , and b.t z [h'] < A b'.nt k [h']. Hence, we can 
replace b.£j by b.t max in Equation 1 and Equation 2 which yields the following: 

bli = b.t max = b'.nt k and {b.£i[h},b.t max [h),b'.nt k [h}} = {3, 4, 5}, (3) 

6.4[/i'] < A b.t max [h'] < A b'.nt k [h'} and b.£i[h'] ^ A b'.nt k [h']. (4) 
Consequently, 

bli < b.t max < b'.nt k and b.£ t ■£ b'.nt k , (5) 

{b.£i, b.t max , b'.nt k } C CYCLE(6.^ majr , /*'). (6) 

Consider the cases b.£ { — b.nti and 6.^,- = b.ti separately: 

h' — 1 

b.nti'. Since 6. n<,- € CYCLE(&.f mai , /*'), V for state 6 shows that b. t t = b.t max . By Claim 6.5.15 

h' — 1 

NVM k (b.t max ,h' - 1) = NUMjt(6.f ma:r ,/i'). Therefore, since i 7^ fc, b.ti = 6.i mar implies 
that b.ti — b.t max . Now, from IV for state b and the fact that b.nti -< b.t max , it follows that 

h' 

b.nti — b.t max , a contradiction to Equation 4 according to which b.nti[h'] < A b.t max [h']. 

h' — 1 

b.U: By Claim 6.5.15, NUM k (b.t max ,h' - 1) = NVM k (b.t max ,h'). Therefore, since i ^ k, b.ti = 
b.t max implies that b.ti = b.t max . Now, b.ti — b.t max contradicts Equation 4 according to 
which b.ti[h'} < A b.t max [h'}. 

We have reached a contradiction in each case. Consequently, there exists no choice vector such 
that its values are not totally ordered. Hence, TOT(fe') = true. ■ 

Claim 6.5.17 If k ^ b.i max then II - VI are true in b'. 
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Proof: VIb holds in state b' since it holds in state b and no Mabels change. Now consider 
II - Via. If i / k, then the definition of stiAP k (t k ,v k ) shows that neither U, rai,-, t max , nor 
NUM,-(f mar ,/i) change. Therefore, II - Via are true in state b' since II - Via are true in state b. 
So assume that i = k. In this case b'.nti = N extl ABEL (b.t max ,h') and b'.t max -< b'.nti. Consider 
II - Via separately: 

II: Since k ^ b.i max , i ^ b.i max . Furthermore, b.i max = b'.i max thus i ^ b'.i max . Now II is 
vacuously true in state b'. 

Ill: Since b'.t max = b.t max , and b'.nti = NEXTlABEi(b.t max ,h'), b'.nti = XEXTLABEL(b'.t max ,h'). 

IV: Since b'.t max = b.t max -< b'.nti IV is vacuously true in b' . 

V: Suppose that b'.nti € cycle(6'. t max ,h) where h G {1 . . .n - 1}. The definition of cycle 
now implies that b'.nti[h] G {3,4,5}. Recall that b'.nti = NEXTLABEL(6.i max , h'). The 
definition of nextlabel implies that b'.nti[h"] = 1 for all h" > h'. Since b'.nti[h] G 
{3,4,5}, we can conclude that h < h'. We consider the two cases h = h' and h < h' 
separately. 

First consider the case h = h'. Since next(1) £ {3,4,5}, and NEXT(b.t max [h]) = 
b'.nti[h] G {3,4,5}, b.t max [h] / 1. Now VIb for state b shows that Nvu(b.t max , h - 1) > 
n-h+1. Furthermore, Claim 6.5.15 and the fact that i = k show that xvMi(b.t max ,h-l) < 
n - h + 1. Since NVM(b.t max ,h -l)>n-h + l and KUMi(b.t max , h - 1) < n - h + 1, 
A; GAGREE(6./ mar ,/i - 1). Thus b.t { h = b.t max . Since t { and / max do not change, b' .t { = 

Now consider the case h < h'. The fact that b'.nti = KEXTLABEL(b.t max ,h') and the 
definition of nextlabel imply that b.t max [h] - b'.nti[h]. Therefore, b.t max [h] ^ 1 since 
b.t max [h] = b'.nti[h] G {3,4,5}. Now VIb for state b shows that NUM(6./ max , h - 1) > n - 
h + 1. The definition of newlabeLj and the fact that i = k show that full,-(/i-1) returns 
false, which implies that NUM,(6.i max , /i-l) < n-h+1. Since Kvu(b.t max , h-1) > n-h+1 
and NUM,-(6.i maj: , /j- 1) <n-/i + 1, z'G AGREE(6.* m a*, /» - !)• Thus 6.^ = 6.i max . Since 
£,- and tf mox do not change, b'.ti = b'.t max . 
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Via: Since b'.t max - b.t max and b'.nti = KEXTlABEL(b.t max ,h'), we conclude that b'.nti 
nextlabel(6' '.t max , h'). Now, Claim 6.5.15 implies that fiVMi(b'.t max ,h' - 1) = n - h'. 



We can now complete the proof of the lemma. Claim 6.5.14 shows that I - VI hold for V 
when k = b.i max . When k / b.i max , Claim 6.5.16 shows that I holds in b' and Claim 6.5.17 
shows that II - VI hold for b'. ■ 

Proof: (For Theorem 6.1) We proceed by induction on the length of the execution end- 
ing in the reachable state b. The base case is established by Lemma 6.2. The induction 
step is a case analysis based on the action n, where (&', 7r,6") is a step in the execution. If 
7T G {BEGINSCANfc, ENDSCAN fc (o fc , V k ), BEGINLABELjb(l>a/*), ENDLABEL*}, the induction step fol- 
lows from Lemma 6.3. If ir = VPDATE k ((t k ,v k ),(nt k ,val k )), the induction step follows from 
Lemma 6.4. If n = SNAP t (4, v k ), the induction step follows from Lemma 6.5. ■ 

7 Simulation Proof 

In this section we prove that BCTSS solves CTSS. Specifically, we use Theorem 2.1 to show that 
fairbehs(BCTSs) C fairbehs(v ctss). This implies that bctss implements uctss. Recall that 
we have already shown that uctss solves CTSS. In order to use Theorem 2.1, we define the 
relation R between the states of BCTSS and the states of UCTSS as follows: 

Definition 7.1 (relation r) If 6 is a state of BCTSS and u is a state of uctss then (6, u) € R 
iff for all i, j e {1 . . .n}, i ^ j: 

1. 6.o, = u.di. 

2. b.tj -< b.t { iff u.tj < u.ti, 
b.ntj -< b.ti iff u.ntj < u.ti, 
b.tj -< b.nti iff u.tj < u.nti, 
b.ntj -< b.nti iff u.ntj < u.nti. 

3. b.Vi = u.Vi. 
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4. b.vali = u.vali. 

5. b.Vi = u.V{. 

6. b.opi — u.opi. 

7. b.pc t — u.pci. 

u 

Parts 1 and 5 ensure that a process p< returns the same response to a SCAN { request in 
bctss and in UCTSS. Recall that o { contains the order of the labels that was last observed by 
Pi. Part 2 states that the < ordering of any choice vector from BCTSS is the same as the < 
ordering of the corresponding labels from UCTSS. Notice that part 2 gives no information about 
the relation between *,• and nU. Parts 3 and 5 ensure that bctss and UCTSS associate values 
with labels in the same manner. Part 6 ensures that UCTSS and BCTSS will execute the same 
part of the snap,- action code. Finally, part 7 ensures that uctss and bctss will be able to 
execute the corresponding action during each state transition. 

The following lemma proves that the first of the three assumptions required by Theorem 2.1 
is true. 

Lemma 7.1 For the initial state b o/bctss, there exists an initial state u o/uctss such that 
(b,u) e R. 

Proof: In the initial states b of BCTSS and u of UCTSS, o, = (1. . .n) for all i € {1 . . .n). Hence 
part 1 of R is satisfied. Part 2 is satisfied since i, = nt } for all i,j 6 {1 . . .n} in both bctss and 
UCTSS. Parts 3 - 5 are satisfied since v { - (0 . . .0) and u, = val { - for all i G {1 . . . n} in both 
BCTSS and UCTSS. Parts 6 and 7 of R is satisfied for the initial states since op, = pc { — NIL in 
both systems. ■ 

The following lemma shows that the mapping R is preserved by all of the actions of bctss. 
This lemma proves that the second of the three assumptions required by Theorem 2.1 is true. 

Lemma 7.2 Let b be a reachable state o/bctss and u be a reachable state o/uctss such that 
(6, u) e R. J/ (6, 7r, 6') is a step o/bctss then, there exists u' such that (u,ir,u') is a step of 
uctss and (b',u') 6 R. 
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Proof: We proceed by case analysis on 7r. 

Case 7T G {BEGINSCAN t ,ENDSCAN t (Qt,tFt),ENDLABEL i fc} : 

Since (b,u) G R, we can conclude that b.pc k = u.pc k , b.6 k = u.d k , and b.v k = u.v k . Hence, 
■k is enabled in u. Let u' be the unique state of UCTSS such that (u,n,u') is a step of uctss. 
In both bctss and uctss only op k and pc k change as a result of ir. Inspection of the code in 
Figure 1 shows that b'.op k = u'.op k and b'.pc k = u'.pc k . This suffices to shows that (b',u') G R. 

Case: -k = BEGlNLABELt(ua/*): 

Since BEGlNLABELt^a/*) is an input action, it is clearly enabled in state u. Let v! be 
the unique state of uctss such that (u,-jt,u') is a step of uctss. Only val k , op k , and pc k 
change as a result of the action. By definition of the action b'.val k = u'.val k . Furthermore 
b'.op k = u'.op k = LABEL* and b'.pc k = u'.pc k — SNAP*(2fc, v k ). This suffices to shows that 
(6>')6R. 

Case k = SNAP k (t k ,v k ) when b.op k = scan*: 

Since (6, u) G R, b.pc k = u.pc k . Hence, n is enabled in u. Furthermore u.op k = b.op k = 
scai^. Let u' be the unique state such that (u,ir,u') is a step of UCTSS. 

SNAP k (t k ,v k ), when op k = SCANjt, determines d k based on the <C ordering. Recall that <C is 
a lexicographical order defined by the order between the Mabels, using -< for BCTSS and < for 
uctss, and the order between the process indices. By assumption (b,u) € R. This implies that 
b.ti -< b.tj iff u.t { < u.tj for all i,j £ {1 . . ,n}\ thus SNAP fc (/ fc , v k ) will produce the same ordering 
for BCTSS and UCTSS. Hence b'.d k = u'.o k . Furthermore, part 3 of R implies that b'.v k = u'.v k . 
Figure 1 shows b'.pc k = u' .pc k = ENDSCAN k (d k ,v k ). Only d k , v k , and pc k change as a result of 
the action and thus we can conclude that (&', u') G R. 

Case n = SNAP t (f t ,T^) when b.op k — label* : 

Since (6, u) G R, b.pc k = u.pc k . Hence, x is enabled in u. Furthermore u.op k = b. op k = 
LABEL*. There are two case: k = b.i max and k ^ b.i max . 

We first consider the case k = b.i max . Since (6, u) G R, part 2 of R implies that b.i max = 
u-imax- Hence, k = u.i max . Let u' be the unique state such that (u,ir,u') is a step of UCTSS. 
Now the definition of newlabel* for bctss and UCTSS shows that only pc k changes for both 
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bctss and UCTSS. Figure 1 shows b'.pc k = u'.pc k = vpr>ATE k ((t k ,v k ),(nt k ,val k )). This suffices 
to show that (6', u') G R. 

So assume that k ^ b.i max for the remainder of the proof of this case. Since (b, u) G R, part 
2 of R implies that b.i max = u.i max . Hence, A; ^ u.i max . In this case there are many states v! 
such that (u, x,u') is a step of UCTSS; these states differ only by the value of u'.nt k . We now 
define a particular value u'.nt k and hence a particular state u'. 

Define S = {i\ i ^ k and b.t max -< b.nU}. Let z = b.i max , then b.t z = b.t max . Invariant II 
shows that b.nt z = b.t z . Hence, b.nt z = b.t max . This implies that z g S. Thus, b.i max £ S. For 
all i G S, III for state b shows that b.nU = NEXTLABEL(6.i ma5T , h ( ) for some h t G {l...n - 1}. 
Furthermore, the definition of NEWLABEL t implies that b'.nt k = NEXTLABEL(6.t ma3; , h k ) for 
some h k G {1 . . . n - 1}. Define: 

S, = {i\ieS,hi>h k }, S 2 = {i\ieS,hi = h k } and S 3 = {i\ i G S,h { < h k }. (7) 

Note that: 

Sy n S 2 = S 2 n 5 3 = S x n 5 3 = and 5 X U 5 2 U S 3 = S. (8) 

Since -< is a lexicographical order, the order between any two labels in BCTSS is determined by 
the first digit at which they differ. Therefore, for any ii £ Si, t 2 6 5 2 , and i 3 e S 3 , it is the 
case that: 

b-t max -< b.nt il -< b.nti^ = b'.nt k -< b.nt i3 . (9) 

Recall z = b.i max . Thus, b.t z -< b.nt ix -< b.nt i2 = b'.nt k -< b.nt i3 . Since z g S and (b, u) G R, 
part 2 of R now shows that u.t z < u.nt il < u.nt i3 < u.nt i3 . Since b.i max = u.i max , z = u.i max 
and u.t z = u.t max . This shows that: 

u.t max < u.nt il < u.nt h < u.nt i3 . (10) 

We use the following rules for picking u'.nt k . If S 2 ^ 0, then u'.nt k = u.nti for any i € S 2 . If 
on the other hand S 2 = 0, define u.nt max and u.n£ mi „ as follows: u.nt max - max(u.n/i| i G 5i) 
if Si 7^ 0, otherwise u.nt max = u.t max . u.nt min = min(u.n/,|i G S 3 ) if S 3 ^ 0, otherwise 
w.ni m j„ = oo. Choose any u'.nt k such that u.nt max < v! .nt k < u.nt m i n . For any i x G S\,i? G S 2 , 
and i 3 G S 3 , the two rules and Equation 10 imply that: 

u.t max < u.nt il < u.nt i3 = u'.nt k < u.nt i3 . (11) 
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With both rules for choosing u'.nt k , u.t max < u'.nt k . Hence, there exists an X G K >0 such that 
u'.nt k = u.t max + X. 

We now show that (V, u') G R. Only nt k and pc k change as a result of the action. Figure 1 
shows b'.pc k = u'.pc k = VPDATE k {(t k ,v k ),(nt k ,val k )). Consequently, (b',u') G R if we can show 
that part 2 of R holds for states b' and u'. For part 2 of the relation there are four cases to 
consider. All other cases do not involve b'.nt k . Let i £ {1 . . .n} and i ^ k: 

1. b'.nt k -< b'.ti iff u'.nt k < u'-U, 
b'.U -< b'.nt k iff u'.ti < u'.nt k : 

Since no Mabels change, b'.t max - b.t max and b'.i max = b.i max . Recall that k ^ b.i max , 
hence b'.nt k = KEXTLABEh(b.t max ,h k ) and b'.t max = b.t max -< b'.nt k as a result of the 
action. Furthermore, b'.U - b.U. Therefore, b'.U < b'.t max -< b'.nt k . Let z = b'.i max . In 
this case z ^ A; and b'.t z = b'.t max . Since i / k, z ^ k and b'.t z = b'.t max , there exists 
a choice vector that includes b'.U,b'.t max , and b'.nt k . By invariant I the values of this 
choice vector are totally ordered by <. Therefore, b'.U < b'.t max -< b'.nt k implies that 
b'.U -< b'.nt k . 

Similarly, since k ^ u.i max , u'.t max = u.t max < u'.nt k as a result of the action. Further- 
more, u'.U = u.U. Therefore u'.U < u' ' .t max < u'.nt k . This implies that u'.ti < u'.nt k . 

2. b'.nti -< b'.ntk iff u'.nti < u'.ntk, 
b'.ntk -< b'.nti iff u'.nt k < u'.nti: 

We can divide the nZ-labels of uctss into two disjoint sets: Recall that S = {j\ j ^ k and 
b-t max < b.ntj). Define T = {j\j ^ k and b.t max >z b.ntj}. Similarly, define 5„ = {j\j ^ k 
and u.t max < u.ntj}. Define T u = {j\j ^ A; and u.t max > u.ntj}. By part 2 of R and the 
fact that (b,u) G R, S — S u and T = T u . Consider i G T and i G S separately. 

Suppose i G T. Since i ^ k, b'.nU = b.nU. Therefore b'.nti ■< b'.t max < b'.nt k . Let 
z = b'.i max . In this case z ^ k and b'.t z = b'.t max . Since i ^ k, z ^ k and b'.t z = b'.t max , 
there exists a choice vector that includes b'.nti, b'.t max , and b'.ntk- By invariant I the 
values of this choice vector are totally ordered by -<. Therefore, b'.nti ^ b'.t max ■< b'.nt k 
implies that b'.nU ■< b'.nt k . Similarly, u'.nti = u.nU, since i ^ k. Therefore, u'.nti < 
u'.t max < u'.ntk. This implies that u'.nti < u'.nt k . 
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Now suppose i € S. Consider any ii € Si, i 2 £ S 2 , and i 3 £ S 3 where Si,S 2 , S 3 are denned 
by Equation 7. Since A: £ S, 6'.nf ; = 6.ni_,- and u'.ntj = u.ntj for all j £ S. Consequently 
Equation 9 and Equation 11 show that b.t max -< b'.nt il -< V .nt ia = b'.nt k -< b'.nt is 
and u.t max < u'.nt il < u' .nt i2 — u'.nt k < u'.ntj. Using these facts we now consider 
the following cases: i £ S u i £ S 2 , and i £ S 3 . If i G Si, then b'.nti -< b'.nt k and 
u'.nti < u'.nt k . If i e S 2 , then b'.nti = b'.nt k and u'.nti = u'.nt k . If i e S 3 , then 
b'.nt k -< b'.ntf and u'.nt k < u'.nti. 

Case k = vPUATE k ((t k , v k ),(nt k ,val k )) : 

Since (b,u) 6 R, b.pc k = u.pc k . Hence, tt is enabled in u. Let w' be the unique state such 
that (u,ir,u') is a step of uctss. 

Only v k , t k and pc k change as a result of the action. Since (b,u) € R, part 4 of R shows 
that b.val k = u.val k . Thus, b'.v k = u'.v k . Figure 1 shows b'.pc k — u'.pc k — ENDLABEL t . 
Consequently, (b', u 1 ) e R if we can show that part 2 of R holds for states b' and u' . For part 2 
of R there are four cases to consider. All other cases are immediate since they do not involve 
t k , and since t k is the only label that changes as a result of the action. Let i £ {l...n} and 

1. b'.t k -< b'.U iff u'.t k < u'.tr. 

Since (b,u) £ K and t k is the only label that changes, b.nt k -< b'.U iff u.nt k < u'.ti. As a 
result of the action, b'.t k = b.nt k and u'.t k - u.nt k . Hence b'.t k < b'.U iff u'.t k < u'.U. 

2. b'.U Ab'.t k iff u'.ti < u'.t k , 
b'.nti -< b'.t k iff u'.nti < u'.t k , 
b'.t k -< b'.nti iff u'.t k < u'.ntr. 

For all three statements, the reasoning is similar to that of case 1. 



We can now conclude that BCTSS correctly implements the properties of CTSS. 
Theorem 7.3 bctss solves ctss. 
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Proof: By definition of bctss and uctss, sig(BCTSs) - sig(vcTSs) and part(BCTSS) = 
part(vcrss). Lemma 7.1, and Lemma 7.2 show that BCTSS and UCTSS satisfy the first two 
conditions of Theorem 2.1. For the third condition note that action 7r is enabled in UCTSS if 
and only if tt is enabled in BCTSS. Consequently, Theorem 2.1 shows that fairbehs(BCTSS) C 
fairbehs(u CTSS). Thus BCTSS implements uctss. Since UCTSS solves ctss, bctss solves ctss. 



8 Applications 

This section discusses two applications of a ctss in the area of waitfree algorithms. Specifi- 
cally, we discuss multireader multiwriter atomic registers and first- come- first- serve (fcfs) mutual 
exclusion 8 . Both of these problems are solved by very simple algorithms based on a ctss. Us- 
ing our bounded CTSS, these problems have a simple bounded solution. For both problems 
we present an algorithm based on a CTSS along with a correctness proof for the algorithm. 
In the correctness proof, we assume nothing about the ctss except that it satisfies the ctss 
specification of Section 3. 

/-exclusion (see [13, 14]) and randomized consensus (see [4, 8, 27, 2]) are also important 
problems that have simple CTSS based solutions, /-exclusion seeks to limit the number of 
processes concurrently executing a section of code called the critical section to /. Mutual 
exclusion is the same as /-exclusion when / = 1. Randomized consensus provides a random 
algorithm by which a set of asynchronous processes can agree on a common value. A consensus 
algorithm is consider valid if all processes agree on value a whenever a was the input originally 
given to all processes. Finally a consensus algorithm must guarantee that each process will 
terminate in a finite number of steps with probability 1 even if other processes exhibit stopping 
failures. Shavit [37] presents an algorithm based on a CTSS along with a correctness proof 
for both the /-exclusion and randomized consensus problems. In the correctness proofs, he 
assumes nothing about the CTSS except that it satisfies axioms P0-P3 of the CTSS specification 
of Section 3. 

8 The algorithms for fcfs mutual exclusion and multireader multiwriter registers presented in this paper are 
based on similar algorithms presented in [37]. We discuss the algorithms since [37] does not prove their correctness. 
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8.1 Multireader Multiwriter Atomic Registers 

This section presents a simple bounded algorithm for solving the famous problem of construct- 
ing a multireader multiwriter atomic register, MRMW, from single writer multireader atomic 
registers (see [33, 17, 36]). Informally, the read and write operations of a multireader mul- 
tiwriter atomic register are separated into a request (input) action and a response (output) 
action, concurrent operations executions are allowed, and every request eventually terminates 
in a matching response, in such a way as to produce the illusion of instantaneous operations. 

The algorithm in Figure 6 is a version (due to Li and Vitanyi [25]) of the elegant and simple 
unbounded Vitanyi- Awerbuch algorithm [34]. The original solution is based on an unbounded 
construction that behaves in a manner similar a ctss. We replace this construction by the 
label and scan operations of the ctss specification 9 . 

The code for the operations of mrmw is presented in two forms. Figure 7 presents the code 
in the precondition-effect notation commonly used to describe I/O Automata. Figure 6 uses 
psuedocode. We use the precondition-effect notation as the basis for the correctness proof and 
include the compact and intuitive psuedocode only for clarity. The only shared variables of 
MRMW are those of the CTSS. The local variables o { and v { contain the results of the SCAN, 
operation. Recall that the n th process index in the array o, contains the process index of the 
process currently associated with the "largest" label in the => ordering of label operations. 



READ, 

SCANj(/~-,V,) 

return («,-„„) where max = o in 

WRITE,(W,) 
LABEL.^aZ.) 



Figure 6: Psuedocode for MRMW. 



In terms of the I/O Automata model, mrmw is an I/O Automaton with an operational 
interface. MRMW is the composition of n I/O Automata {p x . . .p n } and any I/O Automa- 
ton solving CTSS for n concurrent operations. The actions beginscan,-, endscan^o;, v { ), 



[37] erroneously claims that the Vitanyi-Awerbuch algorithm [34] can be implement using a CTSS that only 
satisfies axioms P0-P3. 
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Shared State: 








The shared state of the CTSS with initial values given by Figure 1. 




Local State: 








The local state of the ctss with initial values given by Figure 1. 




vaU: The value written by WRITE,-; initially v . 




Vi : The value returned by READ;: 

* max v * > 


initially v . 




Vi'. An array of values returned by SCAN,- 


initially (v . . .v ). 




dii An array of process indexes returned by scan*; initially (1 . . .n). 




READ,-: BEGIN READ, Eff: 


pc { 


<— BEGINSCAN, 




beginscan, Pre: 


pCi 


= BEGINSCAN; 




Eff: 


PCi 


<— NIL 




endscan^o.-jU,-) Eff: 


p^ 


<— ENDREAD;(u; moi ) where max 


= °i n 


ENDREAD,-(u, mai ) Pre: 


pc { 


= ENDREAD;(t>; ma J 




Eff 


p^ 


<— NIL 




WRITE,-: BEGIN WRITE; (ua/,) Eff: 


PCi 


<— BEGINLABEL,(ua/;) 




BEGlNLABEL i (va/ I ) Pre: 


pet 


= BEGINLABEL;(t;a/,-) 




Eff: 


p^ 


<— NIL 




ENDLABEL,- Eff: 


pc t 


<— ENDWRITE; 




endwrite, Pre: 


PCi 


= ENDWRITE; 




Eff 


pc { 


<— NIL; 





Figure 7: Precondition- Effect code for MRMW. 
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BEGlNLABELi(va/,-), and ENDLABEL,- are the means by which p< and the I/O Automaton solving 
CTSS communicate. These actions are hidden in mrmw. Each p { is an I/O Automaton with 
an operational interface. The operation types of Pi are READ,, WRITE;, SCAN,, and LABEL,. 
The operation type READ; consists of the input action BEGIN READ,- and the output action 
ENDREAD,(u, moi ). The operation type WRITE; consists of the input action BEGINWRITE; (va/;) 
and the output action ENDWRlTEj. The operation type SCAN; consists of the output action 
BEGINSCAN,- and the input action ENDSCAN,(o;, w,-). The operation type LABEL,- consists of the 
output action BEGIN LABEL,- (vali) and the input action ENDLABEL,-. There are no internal ac- 
tions for pi. The set states(pi) is the set of all possible states of p t where each state is defined by 
the values of the variables of the shared and local state. The set starts(pi) is the set consisting 
of the state defined by the initial values of the variables of the shared and local state. The set 
steps(pi) is characterized by the precondition clause in each action. The set part(pi) consists of 
the equivalence class C, where C, consists of BEGINSCAN,-, ENDREAD,(v, ma J, BEGlNLABEL,(va/,), 
and ENDWRITE;. 

We introduce the following notation: In any schedule 0, where beh(P) £ fairbehs(uKM\v) 
and beh(/3) is well-formed and response-live, denote the a th execution of WRITE,- by W { " and 
the a th execution of READ,- by R} a \ Since each WRITE operation results in exactly one label 
operation and each READ operation results in exactly one scan operation, Lf ] and Sf are the 
the LABEL; operation of w/ a] and the SCAN,- operation of Rl a] respectively. Define x(i,a) = o in 
for operation R}"\ Intuitively, x(i,a) is the index of the process that wrote the value returned 
by r}"\ Let c be a choice function for /3 as characterized by P0-P4 of Section 3. Define 
r(i,a) = c(i,a,x(i,a)) for operation R} a \ Intuitively, r(i,a) is the execution number of the 
write operation that wrote the value returned by RJ a \ Since mrmw has an operational 
interface and beh(f3) is well-formed and response-live, Definition 2.8 gives a partial order — ► 
on all READ and write operations of f3. By inspection of the code in Figure 7, the projection 
of (5 onto the actions in exsig(cTSs), /? c , yields a well-formed and response-live behavior, where 
/3 C e behs(CTSS). Consequently, Definition 2.8 gives a partial order — ►' on all SCAN and LABEL 
operations of/?. Note that W^ — ► R} i] implies that L} a] — *' S} h] . However L} a] — ►' SJ b] does 
not imply W { [a] —> Rf\ 

An atomic multireader multiwriter register is characterized by the following serial specifi- 
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cation S [23], [28]: 

Definition 8.1 (serial specification S) Let s be a sequence of read and write operations. 
Then s G S, if every read operation returns the value written by the write operation that 
immediately precedes the read operation in s. If no such WRITE operation exists, the READ 
operation returns the initial value v„. m 

In order to prove that the mrmw is an atomic multireader multiwriter register, we must show 
that mrmw is well-formed-preserving and response- live. Furthermore, we must show that for 
every well-formed and response-live behavior /?, where /3 6 fairbehs(UKMw), there exists an 
order =>■ such that (see Definition 2.10): 

1. =>• is a total order on all read and write operations that is consistent with — ►. 

2. If s is the sequence of read and write operations ordered by =>•, then s e S of Defini- 
tion 8.1. 

Consider any schedule (3 where beh(P) € fairbehs(MKUW) and beh(fi) is well-formed and 
response-live. Define order =>•' and choice function c for /3 C as characterized by P0-P4. We 
construct => in several steps. 

Notice that each write operation includes a LABEL operation from the underlying ctss. 
By PI the LABEL operations are totally ordered by =>' in a manner that is consistent with 
the partial order — ►'. Now define =» as follows: 

W! a] => W} b] iff L} a] =>' Lf\ 

Note that =» so far is only defined on the write operations. Now extend =>• to include the 
READ operations. 

Insert R} a] in =>• such that rI" ] is between W} r ( fy )] and the write operation that 
immediately succeeds WJ ( r /' o ° )] in =$>. If r(i,a) - then let r}" ] precedes the first 
write operation. 

Now => orders each READ operation with respect to every write operation. However, => 
is not yet a total order, read operations are ordered amongst themselves only if they are 
transitively ordered by a write operation. Let R be any set of read operations that are 
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ordered between two write operations that are consecutive in the => order. Now extend =>■ 
such that the elements of R are totally ordered in a manner that is consistent with — ►. Repeat 
this procedure for each set of read operations that are ordered between two WRITE operations 
that are consecutive in the =>• order. Finally, extend =>• for the READ operations that are 
ordered before any write operations in a manner that is consistent with — ►. Now =>• is a 
total order. Specifically, =>• is irreflexive, antisymmetric, transitive and total. We now show 
that =>■ is consistent with — ►. 

Lemma 8.1 For any i,j £ {I . . .n), if W} a] => W} h] then W^ -+> W^ a] . 

Proof: Since W { [a] => w/ 6] , the construction of =► shows that L} a] =>' LJ bl . Now Pla 
implies that LJ b] -/*' L\ a] . Consequently w} b] -/-> W^ a] . ■ 

Lemma 8.2 For any i,j e {1 . . .n], if R} a] => W} b] then W} b] -f* R\ a] ■ 

Proof: We consider the cases b = c(i,a,j), b < c(i,a,j), and b > c(i,a,j) separately. 

b = c(i,a,j): There are two cases to consider: j = x(i,a) and j ^ x(i,a). When j = x(i,a), 
then by construction of the =>' order, c(i,a,j) = r(i,a) and Wj => R\ . This contra- 
dicts the assumption that R}"' ==> WJ- , so this case cannot arise. Now consider the case 
j ^ x(i,a). Assume that r(i,a) > 0. Since R} a ' =>- Wj, the construction of the =* 
order implies that W%% )] => R\ a] =» W} b] . Consequently, LJ$$ ] =>' LJ b] . Now, Plb 
implies that 5,- finds x(i,a) < j in d{. However, by definition of x(i,a) no such j exists. 
Therefore, this case cannot arise. Now consider the case j ^ x(i,a) when r(i,a) — 0. 
Since b ^ 0, Plb implies that 5, finds x(i,a) < j in 5i. However, by definition of x(i,a) 
no such j exists. Therefore, this case cannot arise. 

b< c(i,a,j): In the previous case we proved that jyJ c ( ,,OJ 'H => rI"\ Since b < c(i,a,j), 
it must be the case that LJ b] — ►' LJ e( - i,aJ)] . Now, Pla shows that LJ b] =>' LJ e(i,aJ)] . 
Consequently, the construction of the =>■ order implies Wj =>• w\-< l < a <in =>. jjW ) 
which contradicts the assumption that Rl a ' ==>• W-. Therefore, this case cannot arise. 

b > c{i,a,j): We proceed by showing that Z- -/*■' S}"\ In order to reach a contradiction, 
assume that Lj — ►' 5/. Assume also that c(i,a,j) > 0. Since b > c(i,a,j), it follows 
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that lf (, ' Ai)1 — »' Lf\ Thus L] c{i ' a ' i)] — ►' LJ b] -V S/ a] , which is impossible by P2. 
Therefore LJ b] -^' s} a] . Furthermore, if c(i,a,j) = 0, P2 directly show that LJ b] -^' S} a] . 
Since Lf ] -+>' S} a] , we conclude that w} i] -/+ R} a] . 



Lemma 8.3 For any i,j e {1 . . .n}, ifW} b] =► tf/" 1 </*en i?/ ' -/+ w/* ] . 

Proof: We consider the cases b = c(i,a,j), b < c(i,a,j), and b > c(i,a,j) separately. 

b = c(i,a,j): P2 implies that S[ a] -f*' if. This shows directly that R\ a] -f*' w} b] . 

b < c(i,a,j): P2 imphes that s} a] -+>' LJ <i>aJ)] . Since 6 < c(i,a,j), LJ b] — ►' ZJ c(, ' oj)] . Conse- 
quently, S} a] -f+' Lf. This shows directly that /jH -/>' W,. w . 

6 > c(i,a,j): We proceed by showing that S/ a] -/*' LJ h \ In order to reach a contradiction, 

c(i,a) 



assume that S/ a] — >' XJ 6] . Assume that r(t, a) > 0. Now P4 implies that X^^ =>■' if 1 . 
By construction of the =>• order, this implies that i?/" 1 =>■ Wf/ iJ . If r(i,a) = 0, the 
construction of the =>■ order shows that i2; W =>• w/ i] . However, the fact that R} a] =>• 
W/* 1 contradicts that assumption that w} b] =» J?/ a] . Consequently, S/ a] -^V XJ* 3 . This 
shows immediately that Rp -/-> W-^. 



Lemma 8.4 For any i,j e {1 . . .n}, If R\ a] => R [b] then RJ b] -/* R} a] . 

Proof: We consider two cases. First consider the case where there does not exist W k such 
that R { a =>■ W k => Rj . In this case the construction of the =>• order immediately shows 
that Rj -/+ Rp when r}"' =J> RJ b \ For the second case assume that there exists W^ such 
that R} a] => W t M =>■ flj* 1 . The right-most W t M is given by Jfe = z(j,6) and d = r(j,b). Now 
define k' - x(i,a) and d' = r(i,a) assuming that r(i,a) > 0. Consequently, 

W k [ f ] => R} a] => ^ => i?j i] . (12) 

In order to reach a contradiction, we assume that RJ b ^ — > #/"'. Consider Equation 12. By 
definition of x and r, S- b] sees v^ , and 5/ a] sees i;j c( ' ,a '* )] . We now wish to show that c(i, a, k) / 
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d. To reach a contradiction assume that c(i,a,k) = d. Since S- a] sees v^ and vj?' 1 , and 
k' = x(i,a), S} a] finds k < k' in o,. Now Plb shows that L^ =>-' X|f ] . By definition of => 
this implies that W^ => W^?' 1 , which contradicts Equation 12. Thus c(i,a,k) ^ d. 

By assumption i?J i] — * r}'\ thus s/' ] — >' S} a] . Since S/ 6] sees » t M S/ a] sees t;i e(, ' ,0l * )] , and 
c(i,a,k) / d, P3 now shows that d < c(i,a,k). This implies that L^ =^' x] c(!> '* )] . Thus, by 
definition of =$■ it follows that: 

W t M => W^'' 1 " 1 ^. (13) 

Next we show that w} c(i ' a - k)] => fl. w . If not, the construction of the =» order and the facts 
that *' = z(i,a) and d' = r(t,a) imply that w}?' ] =► ^ W =► W t te( ' ,a,i)I . Consequently, 
ll?' ] =» if'"'*' 1 . Then, Plb implies that S[ a] finds k' = x(i,a) < k in o s . However, by 
definition of x(i,a), no such A; exists. Therefore W^ (i '"' k)] => i?/ a] . This fact along with 
Equation 13 and the fact that =>• is transitive implies that w}^ => R\ a] . Thus we have a 
contradiction to Equation 12. 

Finally, consider the case where r(i,a) = 0. As in the previous case, ilf a] =>■ W^ => Rf\ 
where W^ is given by k = z(j, 6) and d = r(j,b). Since r(i,a) = 0, the definition of r(i,a) 
and Plb imply that c(i,a,z) = for all z G {l...n}. In order to reach a contradiction 
assume that RJ b] — > £/ o] . This implies that SJ h] — >' $ [o] . Furthermore since c(t,a,fc) = and 
d = r(j, b) > 0, c(i, a, k) ^ r(j, b). Now P3 shows that r{j, b) < c(i, a, At), which contradicts the 
fact that c(i, a, k) = and d = r(j, b) > 0. ■ 

We now show that the READ and WRITE operations ordered by the =>■ order form a sequence 
permitted by the serial specification S of Definition 8.1. 

Lemma 8.5 Let s be the sequence of read and write operations of /3 ordered by the =>• 
order. Then s G S. 

Proof: There are two cases: r(i, a) > and r(i, a) - 0. When r(i, a) > the definition of =>• 
implies that R\ a] is immediately preceded by WJ ( r /'^ )] , where r(z,a) = c(i,a,x(i,a)). Now, PO 
shows that v ix( ._ a) = valjfiff. When r(i,a) = 0, the definition of => implies that R} a] precedes 
all write operations. Also, PO shows that v ix( ._ a) = val [ ^ ia) - v . Noting that R\ a] returns 
v >*(. «) completes the proof. ■ 
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Finally, we prove that mrmw is well-formed-preserving and response- live. 
Lemma 8.6 MRMW is well-formed-preserving and response-live. 

Proof: Notice, by inspecting the precondition clauses in the code of Figure 7, that for equiv- 
alence class d of pari(MRMw), there is always at most one action enabled. Furthermore each 
action remains enabled until it is executed. Consequently, the actions must be executed in the 
sequence in which they are enabled. Furthermore, in a fair execution each enabled action will 
eventually be executed. 

Now consider any fair execution whose behavior has a well-formed-input. Since CTSS is 
well-formed-preserving and response-live, inspection of the precondition-effects code in Figure 7 
shows that the following sequence of actions are executed in response to a beginread, input ac- 
tion: BEGINSCANj, ENDSCAN,(o,-, «,-), and ENDREAD,(u ima J. In response to a BEGINWRITE,(ua/,) 
input action, the following sequence of actions is executed: BEGiNLABELj(t;a/,), endlabel,-, and 
endwrite,-. Finally, no actions of C { are enabled between the execution of a ENDREAD,-(u,- m<i J 
or endwrite, action and the next execution of a beginreaDj or a beginwrite,- (t?a/,) ac- 
tion. Inspection of these action sequences and the definitions of well-formed-preserving and 
response-live, immediately show that MRMW is well-formed-preserving and response-live. ■ 

We can now conclude that mrmw, if it uses our bounded ctss construction, is a bounded 
atomic multireader multiwriter register. 

Lemma 8.7 MRMW is an atomic register satisfying serialization specification S. 

Proof: By Lemma 8.6, mrmw is well-formed-preserving and response-live. Now consider 
any behavior /? G fairbehs(MRMw) that has a well-formed-input. Since mrmw is well-formed- 
preserving and response-live, /3 is well-formed and response-live. Consider the order => on the 
operations in /? defined in the preceding discussion. Lemma 8.5 shows that the order satisfies 
the serial specification S. Lemma 8.1, Lemma 8.2, Lemma 8.3, and Lemma 8.4 show that =4> 
is consistent with partial order — ►. ■ 
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8.2 Mutual Exclusion 

The mutual exclusion problem, originally due to Dijkstra [10], is stated informally as follows 
(a more formal treatment that also introduces fault tolerance issues, can be found in [22]) 10 . 
A system of n asynchronous processes communicate via shared memory consisting of single 
writer multireader atomic registers. The program of every process consists of two distinguished 
sections: a remainder section and a critical section. Processes alternate between executing the 
remainder and the critical section. The fundamental goal of the mutual exclusion algorithm 
is to limit the number of processes concurrently executing the critical section to 1. To solve 
the mutual exclusion problem, one is required to design trying and exit program sections to be 
performed before and after executing the critical section respectively. The trying section coor- 
dinates the entry into the critical section. In our algorithm the trying section has a subsection 
called the doorway section. This section is the first part of the trying section and is waitfree. 
The behavior of a mutual exclusion algorithm is characterized as follows (in order to simplify 
the discussion, this section uses a slightly less formal approach than the previous sections): 

Mutual Exclusion: In any reachable state, no two process are executing the critical section. 

Deadlock Freedom: In any reachable state, if there exists some process that is in the trying 
section, then there exist a process that is in the critical section or a process that will 
eventually enter the critical section. 

Lockout Freedom: 

1. In any execution, if there is no process that is forever executing the critical section, 
any process executing the trying section will eventually execute the critical section. 

2. In any reachable state, if there is some process in the exit section, then some process 
will eventually enter the remainder section. 

The fairness property of lockout freedom is strengthened in the following way. 

First Come First Serve: If process p t finishes executing the doorway section before process pj 
begins executing the doorway section, then p { executes the critical section before pj does. 



Many solutions to the problem have been proposed over the years. (See [31]. 
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The psuedocode version of our mutual exclusion algorithm is presented in Figure 8. The 
algorithm is a simplified version of Lamport's Bakery Algorithm [19]. Our notation uses 
BEGlNLABELjQ and ENDLABEL,- instead of just LABELi() in order to clearly indicate what the 
atomic actions are. The reason for using beginscan* and ENDSCAN; instead of scan, is the 
same. Lines 1-8 represent the trying section and line 10 the exit section. The doorway 
section consists of lines 1-4. In addition to the shared variables associated with the CTSS, 
each processes, p { , has a shared variable called x t which is implemented as a single writer mul- 
tireader atomic register. Process pi writes x { and all other processes read a;,-. The variable 
o,- is a local variable that contains the result of the SCAN,- operation of lines 6 and 7. Lines 
1,2,3,4,6,7,9,10, and 11 each represent atomic actions. Since lines 5 and 8 read the shared 
atomic variables Xj for j € {1 . . .n}, lines 5 and 8 consist of one atomic action for each time 
a particular Xj is read. For every execution of lines 5 and 8 each Xj, for j € {1 . . .n}, is read 
once. The states of the Lamport -Bakery mutual exclusion algorithm are defined by the values 
of the variables associated with the ctss, the shared variables x, for all i, as well as all local 
variables and the program counter, pc, of each process. 

Our correctness proof essentially follows the arguments given in [28] and [22]. The contribu- 
tion of our proof is that it is based on the CTSS specification. We now introduce some notation 
that will be used in the correctness proof. Consider the state s in any execution. If process p, 
is not executing the LABEL, operation in state s, in other words pc t ^ 2 and pc, ^ 3, we define 
the function l(i, s) which is a function from the set of process indexes and the set of states to 
the set of execution numbers of the LABEL operations of the execution. s(i,s) is defined in a 
similar manner for the scan,- operations. 

Definition 8.2 (function /) Consider an execution a. Let s be a state in a where pc; ^ 2 
and pc t ^ 3. Then, define l(i,s) to be the execution number of the label, operation whose 
endlabel,- action was the last ENDLABEL,- action executed in a before state s. ■ 

Definition 8.3 (function s) Consider an execution a. Let s be a state in a where pci ^ 6 
and pc t ^ 7. Then, define s(i,s) to be the execution number of the scan,- operation whose 
ENDSCAN,- action was the last endscan, action executed in a before state s. ■ 
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Intuitively, for a state s, z/' (,>)] is the most recently executed label, operation and S- s { '''> 
is the most recently executed SCAN,- operation. In order to simplify the presentation, we do 
not provide the argument for why p, has pc, ^ 2 and pc t ^ 3 or pc, ^ 6 and pc { ^ 7 when 
discussing L\ l{i ' s)] or 5 , / ,(i, ' )1 in cases where it is obvious. The order — ► is used to order states 
of an execution as well as the CTSS operation instances in the execution. 

Definition 8.4 ( — ► order) Let A x and A 2 be CTSS operation instances and s x and s 2 be 
occurrences of states in an execution a of the Lamport-Bakery mutual exclusion algorithm. 
Then: 

1. Ai — ► A 2 iff the response action associated with A x occurs before the request action 
associated with A 2 . 

2. Ai — ► s x iff the response action associated with A x occurs before s x . 

3. s x — ► Ax iff the request action associated with Ai occurs after s x . 

4. Si — > s 2 iff Si occurs before s 2 . 



Note that — ► provides a total order for the states and a partial order for the CTSS operation 
instances. Now consider any execution a of the Lamport-Bakery mutual exclusion algorithm. 
We wish to show that the execution satisfies the four properties for mutual exclusion given 
above. Notice that the projection of the execution onto the external actions of CTSS, gives a 
behavior of CTSS that has a well-formed-input. Consequently, the projection of the execution 
onto the external actions of CTSS must satisfy axioms PO, PI, and P2 11 of Section 3. Let => 
and c be an order and a choice function that satisfy PO, PI, and P2 for the projection of a 
onto the external actions of CTSS. Now consider the following lemma which will be used to 
prove the mutual exclusion property. 

Lemma 8.8 In any state s of the execution a, if p t is in the critical section and Xj = T then 
/■['('.«)] ^ rlHi,')] 



'Axioms P3 and P4 are not needed for the Lamport-Bakery mutual exclusion algorithm. 
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repeat forever 


1 




x, <— i 


2 




BEGINLABELj() 


3 




ENDLABELi 


4 




X,- <— T 


5 


11: 


If 3j such that x_,- = L then goto £1 


6 


L2: 


BEGINSCAN,- 


7 




6, <— ENDSCAN,- 


8 




If 3j such that j < i in o, and x ; - = T then goto 12 


9 




critical section 


10 




Xi <- NIL 


11 




remainder section 




end 


repeat 



Figure 8: Psuedocode for Lamport-Bakery mutual exclusion algorithm 

Proof: Consider the first state in the execution a after the action in which p, reads Xj ^ L 
in line 5 for the last time before state s. Call this state si. Since Xj ^ X, pcj / 2 and pc, / 3 
in state s x . Hence we can now consider two cases: LJ h — ► «i and Sj — ► X ; ' . 

£J'(j,»)] — > Si . Consider the last state in a before the action in which p,- considers pj for the 
last time in line 8 before state s. Call this state s 2 . Since p,- enters the critical section, 
there are three cases to consider: i < j in o, and Xj = T, i < j in o, and Xj 7^ T, and 
j < i in o, and x ; - 7^ T. We consider the last two cases together by showing that the case 
Xj 7^ T cannot arise. 

i < j in o, and Xj = T: In this case LJ ,(j,,)] —> Sl ^ 5/' (, ''" )] , therefore LJ ,(Jt ' )] — >■ 
£.[*(*•*')]. Furthermore, by definition of /(j, s) there exists no LJ b \ where 6 7^ /(j, 5), such 
that LJ' U ' s)] — ♦ XJ 61 — ► s/' (i, ' a)1 . Consequently, P2 shows that c(i,s(i,s 2 ),j) = l(j,s). 
The same argument shows that c(i,s(i,s 2 ), i) = l(i,s). Since p,- found i < j in o, of 
S/ J(, ' ,J3)] , Plb shows that L} Ki>t)] =► if J>)1 . 

Xj / T: In this case Xj = NIL or Xj = L. If Xj = nil, then since Xj = T in state s 
and s 2 — ► s, pj must execute the LABEL,- operation of lines 2 and 3 between s 2 and s. 
Consequently Si — ► £■ , which contradicts the assumption that Z/j u ' s) — ► Sj. So, 
it must be that x ; — L in state s 2 . Recall that Xj 7^ L in sj and x ; = T in s. Since 
Si — ► s 2 — ► s » inspection of the code shows that pj must execute the LABEL ; operation 
of lines 2 and 3 between Si and s. This implies that s x — ► Lj ,s '\ which contradicts the 
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p(i.»)] 



assumption that Lj'* n — ► Si. Therefore this case cannot arise. 

Sl _+ L? u< ' )] : Since X/ i(,>)1 — ► s l5 we can conclude that Zp^ 1 — > L? a,,)] . Now Pla implies 
that x p,.)] ^ z py..)]. 



With this lemma, it is easy to show mutual exclusion. 

Lemma 8.9 In any state s of the execution a, if pi is in the critical section, then there exists 
no j ^ i such that pj is in the critical section. 

Proof: We proceed by contradiction. Assume that there exists a state s such that p { and pj 
are in the critical section where i jt j. Since p,- and pj are in the critical section, x { = T and 
Xj = T. Now Lemma 8.8 implies that L} K " )] => XJ'°' s)] and i]' 0>)] => x|' (i ' s)] . By Pi, =^> 
is a total order, so we have a contradiction. ■ 

The following Lemma shows that Lamport-Bakery mutual exclusion algorithm satisfies the fcfs 
property. 

Lemma 8.10 Consider the execution a. Let s,- be any state after pi executes the action on line 
3 but before p t is in the critical section for the first time after the execution of the action. Let 
Sj be any state before pj executes the action on line 2 such that pj must execute line 2 before it 
enters the critical section for the first time after Sj . Assume that Si — ► Sj . Let s Ci be the first 
state in which p { is in the critical section after s t . Let s Cj be the first state in which pj is in the 
critical section after Sj . Then s Ci — ► s Cj . 

Proof: For a contradiction assume that s Cj — ► s Ci . In s Cj , pj is in the critical section and 
Xi = T. Hence Lemma 8.8 implies that ^ J =>• L\ ' Cj . However, since s { — > Sj, we 
know that L { ''' Cj — ► Lj J '' Ci , which by Pla is a contradiction. ■ 

Next we consider the deadlock freedom property of the Lamport-Bakery mutual exclusion al- 
gorithm. We consider the second part of the property first. 

Lemma 8.11 Suppose that process pi is in the exit section in state s of execution a. Then p { 
will eventually enter the remainder section. 
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Proof: The lemma follows immediately from the fact that the exit section, line 10, consists 
of a single waitfree action. ■ 

Lemma 8.12 If pi is in the trying section in state s,- of execution a, then there exist some 
process that is in the critical section, or there exists some process that eventually enters the 
critical section. 

Proof: Let p, be in the trying section in s<. If there exist some process in the critical section 
in S{, then we are done. Therefore, assume that no such process exists. Let s e , where S; — ► s e , 
be the state in which the first processes is in the critical region after s;. Since the code of 
Figure 8 is waitfree, except for lines 5 and 8, p, will eventually reach line 5. Label this state in 
the execution as s x . Now let S be the set of processes that are in the trying section in state s x . 
If there are any processes in the exit section in state si, Lemma 8.11 implies that there exists 
a state s 2 , where s x — ► s 2 , such that there are no processes in the exit section in state s 2 . 

Let p k G {l...n} - S. If x k - T in any state between s 2 and s c , it must be that p k 
executes the label*, operation of lines 2 and 3 after the state s x . Furthermore p { last executes 
the LABEL* operation before state s t Hence Pla shows that for any state s between s 2 and s c 
where x k = T: 

£.['(•»] ==> £['(*.«)]_ (14) 

Consider any Pj G S. If Xj = T, then LJ' U ' S * )] is defined. If Xj = L, then Lf u, " )] may not 
be defined. Since fines 1 — 4 are waitfree, it will eventually be the case that Xj = T for all 
Pj 6 S. Call this state s 3 . Now £J' (j>3 N is defined for all pj e S. Consider Pj € S such that 
L VV,*>)] =+, L V(k.'*)] for ajj pk e 5 and k jl j_ By P1; => i s a total order, hence pj exists. 

Since none of the processes in 5 pick a new label between s 3 and s c , Lj J ' => L k '' for 
all k ^ j, k G S, and s between s 3 and s c . Furthermore, for all p k G {1 . . .n} — S where x k — T 
and s between s 3 and s c , LJ'^''^ =» z|' (fc, ' )] . This is a consequence of Equation 14 which 
shows that L} Ki,,)] =* L [ k l{k '' )] and the definition of Pj which shows that LJ' {j ' )] =>■ i|' (, ' s)] . 
The process pj will progress past line 5 unless there exists some process p k such that x k — L. 
Eventually, it must be that x k ^ L. Furthermore, x k ^ L at least until s e . Thus each 
process that is preventing p^-'s process at line 5 will eventually have x k / L. At this point 
Pj will advance to line 8. Process pj will advance to the critical section unless there exists 
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some processes p k such that x k = T and pj orders k < j in the o~j returned by the scan, 
operation executed in lines 6 and 7 just prior to pj finding k < j in line 8. Since the scan, 
operation of lines 6 and 7 continues to be executed while there exists some processes p k such 
that x k = T and it < j in dy, there must eventually be a state s between states s 3 and s c such 
that £l' ( *' 5)1 _ ♦ Sj' u,t)] . By definition of l(k,s) there exists no L [ k \ where b ^ l(k,s), such 
that Ll KKl)] — ► Li b] — v S}' u,t)] . Consequently P2 shows that c(j,s(j,s),k) = l(k,s). The 
same argument shows that c(j,s(j,s),j) - l(j,s). Since pj orders fc < j in dj, Plb shows that 
£|'(M)] _^ 2 / [' (j ' , * )1 . However, such a A; cannot exist in state s since s is between the states 
s 3 and s c and, for all states s' between 5 3 and s c , LJ ,(i,g ' )] => x|' ( *' a ' )] for all fc G 5" and aU 
k £ {1 . . .n} - S where x fc = T. Therefore, Pj will eventually enter the critical section. ■ 

Finally, we consider the no lockout property. 

Lemma 8.13 Suppose in the state s,- in execution a, p, is in the trying section. If there is no 
Pj, such that pj is in the critical section for all states after some state Sj, then p,- will eventually 
enter the critical section. 

Proof: The first 4 lines of the trying section are waitfree. Therefore, pi will eventually com- 
plete these lines. Call the first state after line 4 completes Sj.. Let S be the set of processes 
Pj for which it is possible that pj is in the critical section in some state which succeeds s lf 
but proceeds the state in which p, enters the critical section. Clearly S C {l,...,n} — {i}. 
Since p { is in the trying section Lemma 8.12 says that p { or some pj G S will eventually enter 
the critical section. The proof is complete if p< enters the critical section, so assume that pj 
enters the critical section. After pj exits the critical section, pj must start executing line 2 after 
some state Sj, where s,- — > Sj, before pj enters the critical section a subsequent time. Now 
Lemma 8.10, shows that S = S - {j} after after Pj exits the critical section. We repeat this 
argument until S — 0. Then Lemma 8.12 says that pi eventually enters the critical section. ■ 

9 Formal Justification for Use of Snapshot 

The purpose of this section is to formally justify the manner in which the snapshot operations 
SNAP and UPDATE of [1] are used in bctss and UCTSS. Specifically, we must justify the fact 
that we do not use separate actions for the invocation and response of each snapshot operation. 
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9.1 Theory 

In order to provide a strong theoretical foundation for the discussion, we extend some of the 
concepts introduced in Section 2. Most of the ideas in following discussion are taken from 
Goldman, Lynch and Yelick [15]. We present a simplified and less general version of their 
results. 

Goldman et al. introduce the concept of an environment, a process and an object. Intuitively, 
an environment refers to the user of a particular I/O Automaton. The I/O Automata model 
generally does not model the users of I/O Automata except to describe the situations in which 
a user is expected to issue input actions. A process is an I/O Automaton that performs an 
operation on behalf of the environment. Typically the interface between the environment and 
a process is described by a set of input actions that are used by the environment to request an 
operation and output actions that are used by the process to respond to an operation request. 
Finally, objects are I/O Automata that model shared data types that provide a means for a set 
of processes to communicate. The following discussion formalizes these concepts. Note that we 
largely retain the notational conventions used in Section 2. 

Definition 9.1 (object I/O Automata) An object I/O Automaton, o, which can be used 
by n process I/O Automata (see Definition 9.2) is an I/O Automaton with an operational 
interface which is characterized as follows. For each i £ {1 . . .n}, there exists a disjoint set of 
operation types ops ( (o) C ops(exsig(o)). For each operation type a,- 6 ops t (o), we denote the 
input actions by INVOKE 0Pi (a,-, v) and the output actions by RESPONSE 0iP> (a,-, r). ■ 

As a shorthand for an object I/O Automaton we use the term object. The subscript o,p, 
indicate that a process I/O Automaton denoted by p t will use this action to communicate with 
the object o when o and p ; are composed. We now present a formal definition for a process I/O 
Automaton. 

Definition 9.2 (process I/O Automata) A process I/O Automaton, p t , is an I/O Automa- 
ton with an operational interface which is comprised of two disjoint sets of operation types: 

• There are a set of operation types which describe the interface between the process and 
the environment. For any such operation type called a { we denote the input actions by 
lNVOKE Pi (a,-,*>) and the output actions by RESPONSE Pi (aj, r). 
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• There are a set of operation types which describe the interface between the process and 
an object 12 denoted by o. For any such operation type called a< we denote the input 
actions 13 by RESPONSE 0|Pi (a,-, r) and the output actions by lNVOKE 0]Pi (aj,t;). 



For the discussion that follows, let A be any I/O Automaton that is a composition of n pro- 
cesses {pi . . .p n } and one object o where the external actions of o are hidden. We now define 
various characteristics of schedules of A. These characteristics will be used in the definition of 
an I/O Automaton called an IR system. Let (3 be a schedule of A. Then /?|p, is the projec- 
tion of P onto all lNVOKE Pi (a,-,u) and RESPONSE p ,(a,-, r) actions that constitute p*'s interface 
with the environment. Similarly, (3\o,pi is the projection of (3 onto all iNVOKE 0)Pi (a,-, v) and 
RESPONSE^p^a,-, r) actions that constitute p;'s interface with the object o. In order to insure 
that a process only issues requests to an object when that process is servicing a request from the 
environment, we introduce the concept of a process p, being active after a prefix of a particular 
schedule. Specifically, a process p, is active after a prefix (3' of the schedule (3 of A if the last 
action in f3'\pi is an iNVOKE Pi (a;, v) action. 

Definition 9.3 (IR-well-formed) Let (3 be a schedule of A. We say (3 is IR-well-formed if 

1. beh([3) is well- formed. 

2. Every INVOKE 0iP ,(a,-,i;) action in /?|o,p, occurs from a prefix of/? after which p { is active. 

3. (3\o,pi consists of an alternating sequence of input and output actions of o, starting with 
an input action, such that each RESPONSE^, (a,-, r) action is immediately preceded by an 
lNVOKE 0]Pi (a;,i;) action. 

4. In (3 no actions of p t occur between any pair of corresponding lNVOKE 0>Pi (a;, v) and 
response 0>Pi (a i5 r) actions. 



12 [15] allows processes to have an interface to an arbitrary number of objects. For the sake of simplicity, we 
restrict attention to processes which have an interface to only one object. 

13 Notice that we have changed the notational convention for the process' interface with the object. This arises 
from the fact that the input actions of the object must have the same name as the output actions of the process. 
In this way, the process can initiate operation instances on the object (see discussion of composition in Section 2). 
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Definition 9.4 (IR-well-formed-preserving) Let f3 be a schedule of A. (3 is IR-well-formed- 
preserving if, for all prefixes /?' of/?, where beh{(3') has a well-formed-input, /3' is IR- well-formed. 

■ 

We say that A is IR-well-formed-preserving if every schedule of A is IR-well-formed-preserving. 

Definition 9.5 (IR system) Let A be an I/O Automaton that is a composition of n pro- 
cesses, {p x . . .p n }, and one object, o, where the external actions of o are hidden. A is an IR 
system iff: 

1. The object o of A is an atomic I/O Automaton that satisfies some specification S. 

2. A is IR-well-formed-preserving. 

3. A is response-live. 



We now define an IRA system which is the same as an IR system except that it combines the 
lNVOKE 0iPi (a,-,t;) and response^, (a,-, r) actions into a single action called ATOMIC 0)Pi ( a «, v i r )- 

Definition 9.6 (IRA system) Let / = {l...n}. Let A be an IR system composed of n 
processes, {p x . . .p„}, and an atomic object, o, satisfying specification S. Then the IRA system 
A' that corresponds to A is defined as follows: 

• states(A') = states(A) 

• start(A') = start(A) 

• sig(A') = (in(A),out(A),(int(A) - |J{lNVOKE 0|Pi (ai, v), RESPONSE 0iPt (a^r)}) 

•e/ 
u\J{ATomc 0iPi (ai,v,r)}. 

• steps(A') = the set of all steps (a,7T,a") such that either: 

- 7r £ |J{lNVOKE 0] p i (a.',v),RESPONSE 0] p i (ai,r)} and (a,7r,a") € steps(A). 

• 6/ 
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- ■k € [_J{ATOMlc 0iPi (a;,t7,T-)} and there exists state a' of A such that: 

(a,\NVOKE 0tPi (a,i,v),a') £ steps(A) and (a 1 , RESPONSE 0]Pi (aj,r),a") € steps(A), and, 
for any schedule /3 of A', the projection of f3 onto the set of all ATOMlc 0Pt (a,-, v, r) 
actions must be an element of the sequential specification of the atomic object o. 

• part(A') = part(A) except that the set of ATOMlc 0iPi (a,-,u, r) actions, for all v and r, 
replace the set of INVOKE^. (a,-, v) actions for all v. 



In the action signature we are replacing pair of actions lNVOKE 0iPi (a,-, v), response 0|Pi (a,-,r) 
by a single action ATOMlc oPi (a,-, v, r) such that ATOMlc 0>Pi (a,-, v, r) can be executed in A' for 
situations where the pair of actions INVOKE 0>Pi (a,-, v), RESPONSE 0>Pi (a,, r) can be executed in 
A. The following significant theorem due to Goldman et al. [15] can be used to show that A' 
implements A. 

Theorem 9.1 Let A be an IR system and A' be the IRA system corresponding to A. If a is 
a fair execution of A, then there exists a fair execution a' of A' such that beh(a') = beh(a). 

Corollary 9.2 Let A be an IR system. Then A implements the IRA system corresponding it. 

Proof: This follows immediately from Theorem 9.1. ■ 

9.2 Proof 

Figure 9 shows the code for uctss and BCTSS 14 that uses the invocation and response actions for 
SNAPj and UPDATEj. We call these new I/O Automata uctss' and bctss'. Since the interface 
provided by [1] uses request and response actions, we can technically only use the snap, and 
UPDATE,- primitives as is done in UCTSS' and BCTSS'. In order to show that uctss' and BCTSS' 
solve CTSS will will show that uctss' implements uctss and bctss' implements bctss. 

We proceed as follows. We show that uctss' and bctss' are IR systems, and then note 
that the IRA systems corresponding to uctss' and bctss' are uctss and bctss respectively. 



UCTSS and BCTSS share the code that is relevant to this discussion. 
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SCAN;: 












BEGINSCAN,- 








Eff: 


opi <— SCAN; 

pc { <— BEGINSNAP,- 


BEGINSNAP,- 








Pre: 

Eff: 


pCi = BEGINSNAP,- 
pCi <- NIL 


ENDSNAP,(i~-,U,-) 








Eff: 


If opi = SCAN, then 

o, <— the sequence of indexes where 

j appears before k in O; iff (tj,j) C (t k ,k) 

pCi <- ENDSCAN,-(o,-,t; j ) 
If op, = LABEL, then 

nti <— NEWLABEL,-(/,-) 

pCj *- BEGINUPDATE,-((^,U,-), (n*i, wa/i)) 


ENDSCAN,-(o,-,?;,-) 








Pre: 
Eff: 


pc,- = ENDSCAN,-(o,-,U,-) 
pc,- <— NIL 


LABEL;: 












BEGINLABEL^ua/,) 








Eff: 


op,- <— LABEL; 

pc { <— BEGINSNAP,- 


BEGINUPDATE,((t;,U 


■),{nti, 


val 


)) 


Pre: 
Eff 


pc,- = BEGINUPDATE f ((ii, U,-),(nii,waZj)) 
pc,- <- NIL,- 


ENDUPDATEi 








Eff 


pc,- <— ENDLABEL; 


ENDLABEL,- 








Pre: 

Eff 


pc,- = ENDLABEL,- 
pc { <— NIL 



Figure 9: Precondition-Effect code for uctss' and bctss' 
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This will allows us to use Corollary 9.2 to conclude that uctss' implements uctss and bctss' 
implements BCTSS. 

Formally, uctss' and bctss' are a composition of n process I/O Automata {pi . . .p n } and 
one object I/O Automaton o where p, and o are defined as follows: Each process I/O Au- 
tomaton has two operation types that constitute its interface with the environment, label, 
and scan,-. The object interface of p, consists of the SNAP; and the UPDATE, operation types. 
These operation types consist of the following external actions: label, consists of the input 
action BEGiNLABEL,(ua/;) and the output action ENDLABEL,-. SCAN; consists of the input ac- 
tion BEGlNSCANi and the output action ENDSCAN,-(o,-, v t ). SNAP, consists of the output action 
BEGINSNAP,- and the input action ENDSNAP,-(i,-, i;,). UPDATE,- consists of the output action 
BEGlNUPDATE,-((f,-,t; i ),(nf,-,i;a/ 1 -)) and the input action endupdate,-. There are no internal ac- 
tions. The partition is the same as it was for the uctss and bctss version of p { (see Section 4) 
except that BEGINSNAP,- replaces snap,-(/,-,w,-) and beginupdate,-((^, v,-), (nt { , val { )) replaces 
UPDATE,-((/,-, Vi), (nti,vali)). The steps of p { are determined by the pc t variable, and the states 
and start states are defined as they were for the UCTSS and BCTSS version of pi. The object 
I/O Automaton o is the implementation of the snapshot object given in [1]. We do not provide 
the code for o, but present some of its characteristics relevant to our discussion. The interface 
with the processes consists of In operations types SNAP,- and UPDATE; for i g {1 . . .n}. Each 
of theses operation types consists of the following external actions: SNAP,- consists of the input 
action beginsnap,- and the output action ENDSNAP;(f;,u;), and UPDATE; consists of the input 
action BEGINUPDATE,((/,-, v^, (nti,vali)) and the output action ENDUPDATE,-. Furthermore, o 
is an atomic I/O Automaton satisfying the SNAPSHOT serial specification. 

Definition 9.7 (snapshot serial specification) A sequence of operations instances a is in 
SNAPSHOT if and only if the following conditions hold. For any i, if a SNAP,- operation instance 
returns the set of values, v, and labels, i, v k and t k are the value and label written by the 
UPDATE* operation instance that immediately proceeds SNAP; in a. If a SNAP; operation in- 
stance is not proceeded by a update* operation instance, then v k and t k are equal to their 
initial values. ■ 

Lemma 9.3 uctss' and bctss' are IR systems. 
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Proof: From [1] we know that the object I/O Automaton of UCTSS' and BCTSs' is an atomic 
object I/O Automaton that satisfies the SNAPSHOT serial specification given in Definition 9.7. 
So we must show that UCTSS' and BCTSS' are IR-well-formed-preserving and response- live. 

Notice by inspecting the precondition clauses in the code of Figure 9 that for any equiv- 
alence class Ci of part(vcTSs') and part(BCTSS'), there is always at most one action enabled. 
Furthermore each action remains enabled until it is executed. Consequently, the actions must 
be executed in the sequence in which they are enabled. Furthermore, in a fair execution each 
enabled action will eventually be executed. 

Now consider any fair execution whose behavior has a well-formed-input. Since the object o 
is well-formed-preserving and response-live, inspection of the precondition-effects code in Fig- 
ure 9 shows that the following sequence of actions is executed in response to a beginscaN; input 
action: beginsnap,-, endsnap,-^, v<), and ENDSCANj(o,, u,). Following a BEGlNLABEL,(va/,) 
input action, the following sequence of actions is executed: BEGINSNAP;, ENDSNAP,-(£,-,u,-), 
BEGlNUPDATE,((i i ,t; I ),(7ii i ,va/,)), endupdate,-, and ENDLABEL,-. Finally, no actions of d are 
enabled between the execution of a ENDSCAN,(o,-, z>,-) or ENDLABEL, action and the next execu- 
tion of a beginscan, or BEGlNLABEL,(r;a/,) action. Inspection of these action sequences and 
the definitions of IR-well-formed-preserving and response-live, immediately show that uctss' 
and bctss' are IR-well-formed-preserving and response-live. ■ 

Now that we have shown that uctss' and bctss' are IR systems, note that the IRA systems 
corresponding to uctss' and bctss' are uctss and bctss respectively. Specifically, in uctss 
and BCTSS the beginsnap,- and endsnap,(/,-,u,) actions of uctss' and bctss' are replaced 
by the SNAP,-(f,-, v t ) action. Similarly, the BEGINUPDATE;((£,-, w,),(ni,-,ua/,)) and endupdate,- 
actions are replaced by the UPDATEi((f,-, v,-), (n£,-, vali)) action (see Definition 9.6). 

Theorem 9.4 bctss' and UCTSS' solve CTSS. 

Proof: Using Corollary 9.2 we conclude that bctss' implements bctss and uctss' imple- 
ments uctss. From Theorem 7.3 we know that bctss solves ctss, hence bctss' solves ctss. 
Similarly, Lemma 4.10 shows that uctss solves ctss, therefore uctss' solves ctss. ■ 
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10 Discussion and Future Work 

Critical to constructing and proving the correctness of our simple bounded tiniest amping sys- 
tem are the design technique of composition and the analysis techniques provided by the I/O 
Automata Model. 

The composition of the label structure of [11] with the atomic snapshot primitive of [1] 
greatly reduces the complexity of our algorithm relative to [11]. Many possible executions are 
eliminated by the fact that the snapshot primitive returns an instantaneous (in the sense of 
[20]) view of the current labels. Even though the construction of the snapshot primitive is 
complex, its complexity is hidden from the timestamping system. Our simple constructions for 
the multireader multiwriter atomic register and first come first serve mutual exclusion further 
demonstrate the power of using composition to simplify the design and analysis of algorithms. 

Due to the fact that our algorithm uses the snapshot primitive, the complexity of our 
timestamping system is worse by 0{yfn) than the most efficient known bounded timestamping 
system [12]. The complexity of our bounded timestamping system is the same as the complexity 
of the underlying snapshot primitive. The complexity of the original construction in [1] was 
0(n 2 ). The best construction currently known has complexity 0(n-^/n) [3]. In addition to our 
bounded timestamping system, there are several other areas in which the snapshot primitive 
is useful (see [1]). Consequently, improving the complexity of the snapshot primitives would 
provide a significant contribution. Since the SNAP operation must read n registers, 0(n) is a 
lower bound for the SNAP operation. We see no reason why 0(n) algorithms for both the SNAP 
and UPDATE operations should not be possible. 

An important feature of the I/O Automata Model is the concept of stepwise refinements 
[29], [21]. Specifically, the I/O Automata Model defines the concept of one I/O Automaton 
implementing another I/O Automaton. Therefore the correctness of complex algorithms can 
be proved by designing a series of algorithms of increasing complexity. The simulation proof 
techniques are used to show that the complex algorithms implement the simpler ones. In this 
way, the complexities of an algorithm are introduced in a stepwise manner. Our use of the simple 
unbounded real number based timestamping specification demonstrates these techniques (see 
[29] for thorough discussion of these issues). 

The use of the I/O Automata Model in our paper suggests several avenues of research for 
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I/O Automata theory. The reader will notice that the I/O Automata section is fairly long since 
it develops several concepts. The need to develop these concepts is due to the fact that the I/O 
Automata Model is much more general than the shared memory system model that is needed 
in this paper. Hence much of the structure of the shared memory model must be developed for 
the I/O Automata Model. A research effort that develops structure for specific system models 
such as the shared memory model and the network model would be an invaluable contribution. 
[15] is a good step in this direction for the shared memory model. 

In recent years, much progress has been made in the area of automatic theorem provers. 
Large parts of our correctness proof, especially the proof for the invariants in Section 6 use an 
extensive, well structured case analysis. Each case is proved by a simple but tedious argument. 
Consequently, we view the correctness proof of our bounded timestamp algorithms as an ideal 
candidate with which to test the effectiveness of automatic theorem provers [6]. In testing a 
theorem prover on our algorithm we hope to determine wether or not I/O Automata proofs 
might in the future utilize theorem provers on a regular basis. 
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